Hello and welcome to the Wednesday, May 24, 2023 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I noticed some interesting scans on our honeypots and really don't quite have a great idea of what they're

after other than it looks like they're going after Apache Niphi. Now Apache Nify is not an

application. It's necessarily of a household name, but it is quite popular. It's one of those

big Java applications and the main purpose of it is quite popular. It's one of those big Java applications, and the main purpose

of it is to route data. So let's say you have a JSON file, but you need to insert that into

MongoDB database. Well, that's what NIFI can do for you. It can sort of transform data

from one format to another

interact with different file and database types like this. It's quite popular in the sort of

machine learning space where often you have these large data sets that you sort of have to

reshape in order to use it for your machine learning. All I see at this point is that

over the last couple days, we had one IP address in particular that appears to scan for NIFI servers.

There are a couple other IP addresses that hit the same URL slash NIFI, but with different user agents almost looks to me a

little bit like they may be sort of following up on the initial scans.

If the first scan finds something, maybe these other scans are then trying to sort of confirm

that NIFI is running. Best I can think of is that they may be looking for unprotected

NYFI instances. It could certainly be an issue. If you have any insight, let me know.

There was one comment so far, noting that they also are seeing some of these scans against

the Port 8080 in particular.

I didn't see any sort of noteworthy warnability in NIFI recently that could prompt something

like this.

So if you use NIFI, it would also be interesting to know what kind of abuse scenarios

...