Please let me know if you have any idea what they are trying to do here 🙂
I noticed today that our honeypots detected a few scans for Apache “Nifi.” Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let’s say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.
Today, I noticed a spike in requests for the URL “/nifi”, the default URL used for the NiFi GUI.
Almost all the reports come from the same user-agent and IP address:
Source IP: %%ip:220.127.116.11%%
The source IP, located in the Ukraine, has a history of scanning for various vulnerabilities, but nothing I would assign to a particular bot. Just “random” URLs like:
There are a couple other IPs and User-Agents used to scan for Nifi:
%%ip:18.104.22.168%% – Claiming to use headless chrome on Linux and Chrome on Windows. Reasonably recent versions so they may be real user agents.
%%ip:22.214.171.124%% – Claiming to use Chrome, but ancient versions so I assume these user agents are fake
Both of these IPs are part of Qwest/CenturyLink/Lumen. 126.96.36.199 at least used to be part of Paloalto.
But the real question: What are they looking for? Trying to steal data from badly secured NiFi installs? Poisoning ML data? cryptomining… ? There isn’t a vulnerability that I would consider, other than bad configurations with no/weak/default passwords.
Let me know if you use NiFi, and if you have an idea what they may be looking for.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.