"A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present."
"Upon successful exploitation, the compromised hosts are added to a cryptomining operation that mines Monero via XMRig and Conflux via lolMiner, as well as to a Hysteria V2 botnet."
"Data from the attack surface management platforms shows that there are more than 1,000 publicly-accessible ComfyUI instances. While not a huge number, it's sufficient for a threat actor to run opportunistic campaigns to reap financial gains."
"Censys said it discovered the campaign last month after identifying an open directory on 77.110.96[.]200, an IP address associated with a bulletproofing hosting services provider, Aeza Group."
A campaign is targeting internet-exposed ComfyUI instances to exploit vulnerabilities for cryptocurrency mining and botnet activities. A Python scanner sweeps cloud IP ranges for vulnerable targets, installing malicious nodes via ComfyUI-Manager. The attack exploits misconfigurations allowing remote code execution on unauthenticated deployments. Compromised hosts mine Monero and Conflux and are added to a Hysteria V2 botnet. Over 1,000 publicly-accessible ComfyUI instances exist, enabling opportunistic campaigns for financial gain. Censys discovered the campaign through an open directory containing tools for reconnaissance and exploitation.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]