Cryptomining Campaign Exploiting Grid Services
July 30, 2024, 4:30 p.m.
Tags
External References
Description
Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging features of Selenium WebDriver API, the threat actor executes remote commands, deploys a modified XMRig miner, and employs various techniques to evade detection and maximize mining efforts.
Date
Published: July 30, 2024, 3:45 p.m.
Created: July 30, 2024, 3:45 p.m.
Modified: July 30, 2024, 4:30 p.m.
Indicators
fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552
d5aaa3b923dd8ede43e4cd9eea642d24f3d9be03273d5f97902bc615849af208
6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab
192.241.144.69
165.227.63.241
164.90.149.104
165.22.195.35
http://192.241.144.69:4447
http://165.227.63.241:443
http://165.22.195.35:443
http://164.90.149.104:9022/xm2
http://164.90.149.104:9022/wxm
http://164.90.149.104:9022
http://164.90.149.104:9021
Attack Patterns
XMRig
T1584.004
T1562.003
T1027.002
T1059.004
T1070.006
T1222.002
T1496