Hello and welcome to the Thursday, June 1st, 2023 edition of the Sands and Stormsenders Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Last week I talked about how we saw some scans for Apache NIFI.

Apache NIFI is described as a data orchestration suite.

It's a pretty nifty software.

It provides web-based interface and allows you then to read data from, let's say, S3 buckets,

Kafka from other files and such, then process

the data, which typically means filter it or converting it to a different format, like from

JSON to XML or CSV and the like, and then save it back into, let's say, a database.

So this is a feature that's often used as part of sort of a data ops pipeline,

like if you have to manipulate business data, if you have to prepare data for machine learning.

That's of a typical use case for it.

But it's also being scanned for, and we talked about it last week that we saw some scans for it.

Well, we now set up actually a full NIFI install and exposed it to some of these scans

by configuring some of our honeypots to basically just proxy these requests.

So the attacker saw an actual NIFI instance.

What we saw were two kinds of attacks. First of all, crypto coin miners. There always has to be

a crypto coin miner. And the second attack, a little bit more nefarious in my opinion and that was lateral movement

where the ad hacker was collecting SSH keys from the system then figuring out what kind of

as H connections were implemented in the past are currently been implemented for example

looking at bash history looking at as H configuration files and then basically just trying out different keys and seeing what works.

This is not due to a vulnerability in NIFI. It's really just a bad configuration choice.

...