A campaign is targeting internet-exposed ComfyUI instances to exploit vulnerabilities for cryptocurrency mining and botnet activities. A Python scanner sweeps cloud IP ranges for vulnerable targets, installing malicious nodes via ComfyUI-Manager. The attack exploits misconfigurations allowing remote code execution on unauthenticated deployments. Compromised hosts mine Monero and Conflux and are added to a Hysteria V2 botnet. Over 1,000 publicly-accessible ComfyUI instances exist, enabling opportunistic campaigns for financial gain. Censys discovered the campaign through an open directory containing tools for reconnaissance and exploitation.
"A purpose-built Python scanner continuously sweeps major cloud IP ranges for vulnerable targets, automatically installing malicious nodes via ComfyUI-Manager if no exploitable node is already present."
"Upon successful exploitation, the compromised hosts are added to a cryptomining operation that mines Monero via XMRig and Conflux via lolMiner, as well as to a Hysteria V2 botnet."
"Data from the attack surface management platforms shows that there are more than 1,000 publicly-accessible ComfyUI instances. While not a huge number, it's sufficient for a threat actor to run opportunistic campaigns to reap financial gains."
"Censys said it discovered the campaign last month after identifying an open directory on 77.110.96[.]200, an IP address associated with a bulletproofing hosting services provider, Aeza Group."
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]