Cryptomining Campaign Exploiting Grid Services

July 30, 2024, 4:30 p.m.

Description

Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging features of Selenium WebDriver API, the threat actor executes remote commands, deploys a modified XMRig miner, and employs various techniques to evade detection and maximize mining efforts.

External References

https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps
https://otx.alienvault.com/pulse/66a90a8245015353a8875aa7
Tags
xmrig
cryptomining
threat
2024-07-30
webdriver
grid
selenium

Date

  • Created: July 30, 2024, 3:45 p.m.
  • Published: July 30, 2024, 3:45 p.m.
  • Modified: July 30, 2024, 4:30 p.m.

Indicators

  • fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552
  • d5aaa3b923dd8ede43e4cd9eea642d24f3d9be03273d5f97902bc615849af208
  • 6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab
  • 192.241.144.69
  • 165.227.63.241
  • 164.90.149.104
  • 165.22.195.35
  • http://192.241.144.69:4447
  • http://165.227.63.241:443
  • http://165.22.195.35:443
  • http://164.90.149.104:9022/xm2
  • http://164.90.149.104:9022/wxm
  • http://164.90.149.104:9022
  • http://164.90.149.104:9021
Download all indicators here!

Attack Patterns

  • XMRig