Cryptomining Campaign Exploiting Grid Services

July 30, 2024, 4:30 p.m.

Description

Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging features of Selenium WebDriver API, the threat actor executes remote commands, deploys a modified XMRig miner, and employs various techniques to evade detection and maximize mining efforts.

Date

Published: July 30, 2024, 3:45 p.m.

Created: July 30, 2024, 3:45 p.m.

Modified: July 30, 2024, 4:30 p.m.

Indicators

fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552

d5aaa3b923dd8ede43e4cd9eea642d24f3d9be03273d5f97902bc615849af208

6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab

192.241.144.69

165.227.63.241

164.90.149.104

165.22.195.35

http://192.241.144.69:4447

http://165.227.63.241:443

http://165.22.195.35:443

http://164.90.149.104:9022/xm2

http://164.90.149.104:9022/wxm

http://164.90.149.104:9022

http://164.90.149.104:9021

Attack Patterns

XMRig

T1584.004

T1562.003

T1027.002

T1059.004

T1070.006

T1222.002

T1496