What Happened

Recent reports have identified an active campaign targeting internet-exposed instances of ComfyUI, a widely utilized stable diffusion platform. This campaign, detected in October 2023, exploits vulnerabilities in the platform to conscript them into a cryptocurrency mining and proxy botnet. The threat actors have been actively scanning major cloud IP ranges to identify and compromise susceptible targets.

The attackers employ a Python-based scanner designed to identify vulnerable ComfyUI instances across popular cloud services. Once a vulnerable system is detected, the attackers leverage ComfyUI-Manager to install malicious software automatically, subsequently integrating the compromised systems into a larger botnet network.

Technical Details

The primary attack vector involves leveraging a yet unspecified vulnerability within ComfyUI and the ComfyUI-Manager. This flaw enables unauthorized remote code execution, allowing attackers to deploy their payloads seamlessly. While a formal CVE ID for the vulnerability is anticipated, it currently remains undocumented in public vulnerability databases.

The campaign's attackers have demonstrated a high degree of automation with their Python script, which efficiently scans and identifies vulnerable instances. The vulnerability has not yet received a CVSS score, pending further analysis and confirmation of exploit parameters. Currently, no specific Indicators of Compromise (IOCs) have been released, making network monitoring and anomaly detection vital for potential identification and response.

Impact

The scope of the impact extends to any organization leveraging ComfyUI in internet-facing environments. The immediate consequence is the significant increase in resource utilization due to unauthorized cryptocurrency mining operations. Compromised systems also experience decreased performance and potential service disruptions due to their involuntary participation in the proxy botnet.

Organizations that use cloud infrastructures where ComfyUI instances are deployed without stringent security hardening are particularly at risk. These attacks can also lead to increased operational costs due to the unauthorized use of computing resources on cloud platforms.

What To Do

  • Immediate Patch Installation: Await the release of an official patch or update from ComfyUI developers and apply it without delay.
  • Network Monitoring: Implement enhanced network monitoring to detect unusual traffic patterns indicative of scanning activity or increased resource consumption.
  • Access Restrictions: Restrict ComfyUI access to only trusted IPs through firewall rules and network segmentation.
  • Security Hardening: Ensure proper security configurations and middleware updates are applied to all internet-exposed services.
  • Anomaly Detection: Use security tools capable of anomaly detection to identify sudden changes in server behavior.

Organizations should remain vigilant in monitoring their infrastructure and apply recommended security measures proactively. Being aware of new vulnerabilities as they are disclosed and responding promptly is critical to mitigating the risk of such exploitation.

Related: