Security Operations, AI/ML, Threat Intelligence

ComfyUI instances hijacked for cryptomining and proxy botnet

Cybersecurity Alert Critical System Vulnerability Detected

As reported by The Hacker News, a sophisticated attack campaign is actively targeting internet-exposed instances of ComfyUI, a popular platform for stable diffusion models, to integrate them into a malicious cryptocurrency mining and proxy botnet.

Threat actors are employing a custom Python scanner that continuously probes cloud IP ranges for vulnerable ComfyUI deployments. The exploitation leverages a misconfiguration in unauthenticated instances, allowing remote code execution through custom nodes. Once compromised, these servers are enlisted to mine Monero and Conflux cryptocurrencies using XMRig and lolMiner, respectively. Additionally, they are incorporated into a Hysteria V2 botnet, all managed via a Flask-based command-and-control dashboard. The campaign installs malicious nodes, often via ComfyUI-Manager, and employs techniques like disabling shell history and using "chattr +i" for persistence. The malware also actively targets and disrupts competing mining operations.

This campaign highlights the growing trend of exploiting open-source AI tools for illicit activities. With over 1,000 publicly accessible ComfyUI instances identified, the potential for financial gain incentivizes such opportunistic attacks. 

Source: The Hacker News

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds