Help us figure this out: Scans for Apache "Nifi", (Tue, May 23rd)

This post was originally published on this site

Please let me know if you have any idea what they are trying to do here 🙂

I noticed today that our honeypots detected a few scans for Apache "Nifi." Nifi is a Java-based system that allows for the routing of data. It will enable you to select data from a source (let's say from a CSV file) and output it to a database. Numerous sources and destinations are supported. Dataflows are created via a web-based GUI. One critical use case of Apache Nifi is to prepare and import data into machine learning systems.

Today, I noticed a spike in requests for the URL "/nifi", the default URL used for the NiFi GUI.

Almost all the reports come from the same user-agent and IP address:

User-Agent: Go-http-client/1.1
Source IP: %%ip:

The source IP, located in the Ukraine, has a history of scanning for various vulnerabilities, but nothing I would assign to a particular bot. Just "random" URLs like:

  • /boaform/admin/formLogin

There are a couple other IPs and User-Agents used to scan for Nifi:

%%ip: – Claiming to use headless chrome on Linux and Chrome on Windows. Reasonably recent versions so they may be real user agents.
%%ip: – Claiming to use Chrome, but ancient versions so I assume these user agents are fake

Both of these IPs are part of Qwest/CenturyLink/Lumen. at least used to be part of Paloalto.

But the real question: What are they looking for? Trying to steal data from badly secured NiFi installs? Poisoning ML data? cryptomining… ? There isn't a vulnerability that I would consider, other than bad configurations with no/weak/default passwords.

Let me know if you use NiFi, and if you have an idea what they may be looking for.



Johannes B. Ullrich, Ph.D. , Dean of Research,

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.