#1 Trusted Cybersecurity News Platform Followed by 3.45+ million
The Hacker News Logo
Subscribe to Newsletter
CrowdSec

Server Securiy | Breaking Cybersecurity News | The Hacker News

Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining

Cybercriminals Targeting Apache NiFi Instances for Cryptocurrency Mining

May 31, 2023 Server Security / Cryptocurrency
A financially motivated threat actor is actively scouring the internet for unprotected  Apache NiFi instances  to covertly install a cryptocurrency miner and facilitate lateral movement. The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for "/nifi" on May 19, 2023. "Persistence is achieved via timed processors or entries to cron,"  said  Dr. Johannes Ullrich, dean of research for SANS Technology Institute. "The attack script is not saved to the system. The attack scripts are kept in memory only." A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the "/var/log/syslog" file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server. It's worth pointing out that  Kinsing  has a  track record  of  leveraging  publicly disclosed vulnerabilities in publicly accessible web applicati
New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

Mar 02, 2023 Data Security / Cryptojacking
Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack. "Underpinning this campaign was the use of transfer[.]sh," Cado Security  said  in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code hosting domains (such as pastebin[.]com)." The cloud cybersecurity firm said the command line interactivity associated with transfer[.]sh has made it an ideal tool for hosting and delivering malicious payloads. The attack chain commences with targeting insecure Redis deployments, followed by registering a  cron job  that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer[.]sh. It's worth noting that  similar   attack mechanisms  have been employed by other threat actors like TeamTNT and
cyber security

external linkSay Goodbye to SaaS Blind Spots: Wing Security Unveils Free Discovery Tool

websitewww.wing.securitySaaS Security / Attack Surface
Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.
New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites

New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites

Jun 09, 2021
Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim's web browser to a different TLS service endpoint located on another IP address to steal sensitive information. The attacks have been dubbed  ALPACA , short for "Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication," by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University. "Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session," the study said. "This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer." TLS  is a cryptographic protocol underpinning several application layer protocols like HTTPS, SMTP, IMAP, POP3, and FTP to secure com
Cybersecurity Resources