Full Report
Baidu reports an exploitation campaign targeting publicly-exposed instances of ComfyUI. ComfyUI provides a GUI for AI image generation workflows. By default, it does not implement authentication. A popular extension, ComfyUI-Manager, allows an attacker to execute remote code v...
Analysis Summary
# Incident Report: Exploitation of Unauthenticated ComfyUI Instances via ComfyUI-Manager
## Executive Summary
Threat actors are actively exploiting publicly exposed, unauthenticated ComfyUI instances to achieve Remote Code Execution (RCE). The campaign leverages the "ComfyUI-Manager" extension to install malicious custom nodes and execute arbitrary Python code, leading to the deployment of information stealers and crypto-miners. This incident highlights the significant risk of deploying niche AI tools to the public internet without supplemental security layers.
## Incident Details
- **Discovery Date:** Late May 2024 (Reported by Baidu)
- **Incident Date:** Ongoing
- **Affected Organization:** Multiple (Users of self-hosted ComfyUI)
- **Sector:** Technology / AI Research / Creative Media
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Various (Ongoing campaign)
- **Vector:** Direct web access to unauthenticated GUI.
- **Details:** Attackers use automated scanners to find ComfyUI instances exposed on ports like 8188. Because ComfyUI lacks native authentication, attackers gain full access to the dashboard.
### Lateral Movement
- **Details:** Once RCE is achieved via the ComfyUI-Manager API, attackers attempt to pivot from the application container/environment to the underlying host system to harvest credentials and access local network resources.
### Data Exfiltration/Impact
- **Details:** Attackers utilized the `custom_nodes` feature to execute Python scripts that exfiltrated browser cookies, saved passwords, and sensitive keys from the host.
### Detection & Response
- **How it was discovered:** Baidu’s security monitoring identified anomalous outbound traffic and malicious script execution originating from AI development environments.
- **Response actions taken:** Community alerts issued; recommendations provided to use reverse proxies and VPNs.
## Attack Methodology
- **Initial Access:** Exploitation of unauthenticated publicly-accessible web interfaces.
- **Persistence:** Installation of malicious "Custom Nodes" within the ComfyUI directory structure which execute on application startup.
- **Privilege Escalation:** Exploitation of the permissions assigned to the user running the ComfyUI process (often local administrator or root in enthusiast setups).
- **Defense Evasion:** Use of legitimate extension management features (ComfyUI-Manager) to download "updates" that contain malicious payloads.
- **Credential Access:** Scraping local browser databases (SQLite) for stored credentials and session tokens.
- **Discovery:** Automated scanning of the IPv4 space for specific ComfyUI web fingerprinting.
- **Exfiltration:** Standard HTTP POST requests to attacker-controlled C2 servers.
- **Impact:** Deployment of XMRig miners and theft of personal/corporate data.
## Impact Assessment
- **Financial:** High (Compute costs associated with unauthorized crypto-mining, particularly on expensive GPU instances).
- **Data Breach:** High (Theft of browser data, session tokens, and intellectual property/AI models).
- **Operational:** Medium (System instability and resource exhaustion).
- **Reputational:** Low (Primarily affects individual researchers and small labs).
## Indicators of Compromise
- **Network Indicators:**
- `hxxp[:]//43[.]133[.]162[.]253/` (Known C2)
- Unusual outbound connections on port 14444 (Stratum protocol for mining)
- **File Indicators:**
- Presence of unexpected folders in `/comfyui/custom_nodes/`
- Modified `__init__.py` files containing obfuscated Python code.
- **Behavioral Indicators:**
- High GPU/CPU utilization unrelated to active user tasks.
- ComfyUI-Manager logs showing unexpected package installations.
## Response Actions
- **Containment:** Immediately disconnect affected instances from the internet; kill the ComfyUI process.
- **Eradication:** Delete the ComfyUI directory or specifically remove unauthorized `custom_nodes`. Scan the host for persistent miners.
- **Recovery:** Reinstall from a clean Git clone; rotate all passwords and session tokens stored in browsers on that machine.
## Lessons Learned
- **Key takeaways:** Niche and rapidly evolving AI software often prioritizes usability over security and should never be exposed directly to the internet.
- **What could have been done better:** Implementation of a "Zero Trust" or "Default Deny" posture for experimental internal tools.
## Recommendations
- **Authentication:** Implement a reverse proxy (Nginx/Apache) with Basic Auth or utilize tools like Cloudflare Tunnels/Tailscale for remote access.
- **Isolation:** Run ComfyUI inside a Docker container with restricted filesystem access and non-root users.
- **Monitoring:** Monitor the `custom_nodes` directory for unauthorized changes using File Integrity Monitoring (FIM).
- **Network Security:** Use a firewall to restrict access to known internal IP addresses only.