A financially motivated threat actor is actively scouring the internet for unprotectedApache NiFi instancesto covertly install a cryptocurrency miner and facilitate lateral movement. The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for /nifi on May 19, 2023. Persistence is achieved via timed processors or entries to cron,saidDr.