ComfyUI - Targeted in Active Cryptomining Botnet Campaign
Significant risk — action recommended within 24-48 hours
Basically, hackers are using exposed ComfyUI setups to secretly mine cryptocurrency.
A new campaign targets over 1,000 exposed ComfyUI instances for cryptomining. Attackers exploit vulnerabilities to install malicious nodes. This poses significant risks for affected systems, urging immediate security measures.
What Happened
An active campaign has been detected that targets over 1,000 exposed ComfyUI instances. This popular stable diffusion platform is being exploited to enlist these instances into a cryptocurrency mining and proxy botnet. A Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager.
Who's Being Targeted
The campaign specifically targets internet-exposed instances of ComfyUI. These instances are often misconfigured, allowing remote code execution without authentication. The attackers aim to exploit these vulnerabilities to gain control over the systems and use them for mining cryptocurrencies like Monero and Conflux.
How It Works
The attack begins with a systematic scan for exposed ComfyUI instances. If an exploitable node is found, the attacker uses a Python script to execute arbitrary code via custom nodes. This method leverages the fact that some custom nodes accept raw Python code as input. The attacker can then install a malicious package called ComfyUI-Shell-Executor, which fetches a shell script from a controlled IP address, facilitating further exploitation.
Signs of Infection
Indicators that a ComfyUI instance may be compromised include:
- Unusual CPU usage due to mining processes.
- Presence of unauthorized scripts or packages.
- Altered configurations or system files.
How to Protect Yourself
To secure your ComfyUI instances, consider the following actions:
- Regularly audit your configurations to ensure they are secure.
- Implement strict access controls to limit exposure.
- Monitor for unusual activity and resource usage.
- Update and patch your systems to close vulnerabilities.
Additional Context
The attackers have developed a sophisticated method for maintaining persistence on compromised systems. They use scripts that ensure the mining process is revived even if terminated. Additionally, they have mechanisms in place to overwrite competing mining configurations, making it difficult for other malware to operate alongside their payload.
This campaign is part of a broader trend where botnet activity has surged, with various campaigns exploiting different vulnerabilities across multiple platforms. Security researchers have noted a significant increase in botnet activity linked to the availability of source code for existing botnets, making it easier for opportunistic attackers to launch similar campaigns.
🔍 How to Check If You're Affected
- 1.Check for unauthorized scripts or packages in ComfyUI instances.
- 2.Monitor CPU usage for unusual spikes indicating mining activity.
- 3.Review access logs for unauthorized access attempts.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The exploitation of ComfyUI highlights the growing trend of targeting misconfigured cloud services for cryptomining operations.