The n8n n8mare: How threat actors are misusing AI workflow automation

Key Points:

• Threat actors are exploiting the n8n AI workflow automation platform to deliver malware and conduct device fingerprinting through phishing emails containing webhook URLs.
• The impact includes increased phishing attempts and potential unauthorized access to systems, as attackers leverage trusted domains to bypass security measures.
• Recommended actions include implementing behavioral detection for unusual traffic patterns, sharing IOCs related to malicious webhook URLs, and employing advanced email security solutions.

Technical Details: The abuse of n8n’s webhooks allows attackers to deliver malware disguised as legitimate content. For instance, malicious emails have been observed delivering executable files that install backdoors like modified versions of Datto and ITarian RMM tools.

MITRE ATT&CK Techniques:

• T1566 - Phishing (Initial Access)
• T1203 - Exploitation for Client Execution (Execution)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1005 - Data from Local System (Exfiltration)

IOCs Mentioned:

• 93a09e54e607930dfc068fcbc7ea2c2ea776c504aa20a8ca12100a28cfdcc75a
• 7f30259d72eb7432b2454c07be83365ecfa835188185b35b30d11654aadf86a0
• hxxps[://]onedrivedownload[.]zoholandingpage[.]com/my-workspace/DownloadedOneDrive
• hxxps[://]majormetalcsorp[.]com/Openfolder
• hxxps[://]pagepoinnc[.]app[.]n8n[.]cloud/webhook/downloading-1a92cb4f-cff3-449