Hackers hunting for exposed Apache NiFi, warns SANS Institute

Threat actors are scouring the internet for unprotected instances of Apache NiFi, to steal  server credentials and install cryptominers, warns the SANS Institute.

“An attacker for such a misconfigured system can access all the data processed by NiFi and read/modify/delete the NiFi configuration,” Johannes Ullrich, the cyber training organization’s director of research, said today in a blog.

To protect IT infrastructure, he bluntly said, “RTFM,” which is short for “read the f***ing manual.”

“The NiFi documentation clearly describes the simple process of setting a password,” he said. “NiFi should probably not be exposed to the internet.”

NiFi, a Java program that runs within a Java virtual machine on a server, is often used to manipulate data in enterprises. It can read data from various sources and write to destinations like cloud storage, databases, etc. Recently, NiFi has become popular for preparing data for machine learning.

The warning comes after the institute’s distributed sensor network detected a notable spike in requests for “/nifi” on May 19. To investigate further, Ullrich said in an email to IT World Canada, researchers instructed a subset of SANS internet sensors to forward requests to an actual Apache NiFi instance in its honeypot. The honeypot used a current version of Nifi in its default configuration. “It took only a couple of hours for the honeypot to be completely compromised,” said Ullrich.

Attackers used a feature called “Processors.” Processors in NiFi are scripts that a user may upload to modify data, and are a straightforward method to execute arbitrary code on a server. Without authentication, an attacker needs to upload the code, and the server will run it on a schedule provided by the attacker.

The institute saw two main types of attack:
Cryptominers: The attacker installed a cryptominer. NiFi servers are likely attractive targets, as they are configured with larger CPUs to support data transformation tasks;
Lateral Movements: The same attacker attempted to harvest data from exposed servers and used it to attack other servers that have a trust relationship with the victim. This could be used to attack other servers within the same organization.

One actor stood out by sourcing most of the attacks. The IP address the attacks originated from is in Hong Kong, but most of their attack infrastructure is located in Russia.

Organizations should refrain from exposing NiFi to the internet and follow NiFi’s documentation to secure the instance correctly, said Ullrich. “We found several open, unsecured instances. Many of them are hosted with cloud providers like, for example, Azure.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.