Wiz Research has uncovered a cryptomining campaign named “SeleniumGreed” that exploits exposed Selenium Grid services lacking default authentication to deploy miners. The campaign highlights the security risks of misconfigured Selenium instances in cloud environments and stresses securing Grid with authentication and network controls. #SeleniumGreed #SeleniumGrid
Keypoints
- Exposed Selenium Grid services can be accessed and exploited due to the lack of default authentication, enabling remote command execution.
- The threat actor uses the Selenium WebDriver API to run Python scripts that deploy a modified XMRig miner for cryptomining.
- Over 30,000 Selenium Grid instances have been identified as vulnerable, with many running outdated versions.
- Best practices for securing Selenium Grid include implementing network security controls and enabling basic authentication.
- The campaign has been active for over a year, indicating a persistent threat to organizations that fail to secure their Selenium instances.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The attacker downloads the miner and the script responsible for running the miner to the /bin directory via curl. ‘It downloads the miner [T1105] … to the /bin directory.’
- [T1222.002] File and Directory Permissions Modification – The attacker sets permissions on the downloaded binaries (e.g., chmod 700 /bin/xm /bin/wxm) to restrict access. ‘chmod 700 /bin/xm /bin/wxm’.
- [T1564.001] Hide Artifacts: Hidden Files and Directories – The attacker creates a hidden script under /tmp or /dev/shm with a random name to conceal payload. ‘creates a hidden script [T1564.001] with a random name composed of 8 characters under /tmp or /dev/shm’.
- [T1564.011] Hide Artifacts – Ignore Process Interrupts – The attacker uses nohup to keep the payload running after the reverse shell ends. ‘nohup … to ensure they continue running after the interactive session of the reverse shell ends.’
- [T1562.003] Impair Defenses – Command History Logging – The attacker sets HISTFILE=/dev/null to disable command logging for interactive shells. ‘set HISTFILE environment variable to /dev/null to disable command logging for interactive shell sessions.’
- [T1027.002] Obfuscated Files or Information – The miner is packed with a custom UPX header (CATS) to evade signature-based detection. ‘packed with custom UPX headers.’
- [T1059.004] Unix Shell – The attacker uses /usr/bin/python3 -c to execute base64-decoded payload, enabling remote command execution. ‘The activity uses /usr/bin/python3 -c … decoded payload’.
- [T1496] Resource Hijacking – The campaign uses cryptomining (XMRig) to harvest CPU resources. ‘cryptomining campaign … deploying scripts that download a XMRig miner.’
- [T1584.004] Server – Compromise Infrastructure: Server – A legitimate service hosting Selenium Grid is compromised and used as a C2 and mining proxy. ‘We believe this IP belongs to a legitimate service that has been compromised by the threat actor … as it also hosts a publicly exposed Selenium Grid instance.’
- [T1105] Ingress Tool Transfer – Additional note on the overall workflow of downloading payloads and miners to facilitate control and mining.
Indicators of Compromise
- [IP Address] Observed network indicators – 164.90.149.104:9022, 164.90.149.104:9021, 192.241.144.69:4447
- [IP Address] Mining pool proxy – 165.22.195.35:443, 165.227.63.241:443
- [File Hash] sha256 – 6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab; fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552
- [File Hash] sha1 – b64cb7dbf62eb8b9539cc1d7901a487a3fd7de9b
- [File Hash] md5 – 861f7deb8926bb0c6d11f8e81d27b406
- [File] /bin/xm, /bin/wxm – downloaded binaries used for mining and payload execution
- [URL/Indicator] C2 and mining proxy hosts – 164.90.149.104:9022, 164.90.149.104:9021, 192.241.144.69:4447
Read more: https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps