Full Report
Wiz researchers discover ongoing threat to popular testing framework.
Analysis Summary
# Threat Actor: SeleniumGreed Operators (Unnamed)
## Attribution & Identity
This threat activity is characterized by a specific campaign dubbed "SeleniumGreed," which exploits misconfigurations in Selenium Grid services. No specific human attribution or established threat actor group name has been definitively linked to this activity, as this appears to be the first documented exploitation of this vulnerability in the wild. The actor leverages compromised Selenium nodes' workloads both for hosting payloads and as mining pool proxies.
## Activity Summary
The operators are conducting an **ongoing threat campaign** focused on cryptomining by exploiting publicly exposed, unauthenticated instances of **Selenium Grid**. They leverage the Selenium WebDriver API's capabilities—which include reading/downloading files and running remote commands—against misconfigured nodes. The primary goal is to deploy cryptominers, specifically using a modified XMRig miner. The actor is characterized as active as of the report date.
## Tactics, Techniques & Procedures
- **Method of Entry/Execution:** Exploitation of misconfigured **Selenium Grid** services via the **Selenium WebDriver API** to run Python with a reverse shell.
- **Payload Deployment:** Scripts are executed to download a modified **XMRig miner** packed with custom UPX headers.
- **Evasion/Persistence:** Using compromised Selenium nodes as C2 infrastructure for payload hosting and as proxies for the mining pool.
- **Forensics Evasion:** Employing techniques to hinder analysis, including Obfuscated Files (Software Packing - T1027.002), Indicator Removal (Timestomp - T1070.006), and modification of file/directory permissions (T1222.002).
- **Defense Evasion:** Impairing command history logging (T1562.003) and hiding artifacts (Hidden Files/Directories - T1564.001, Ignore Process Interrupts - T1564.011).
- **Execution:** Utilizing Unix Shell interpreters (T1059.004).
- **C2 (Command and Control):** Ingress Tool Transfer (T1105) likely leveraged to fetch components.
- **MITRE ATT&CK Techniques Mapped:**
- Command and Control - Ingress Tool Transfer ([T1105])
- Defense Evasion - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification ([T1222.002])
- Defense Evasion - Hide Artifacts: Hidden Files and Directories ([T1564.001])
- Defense Evasion - Hide Artifacts: Ignore Process Interrupts ([T1564.011])
- Defense Evasion - Impair Defenses: Impair Command History Logging ([T1562.003])
- Defense Evasion - Indicator Removal: Timestomp ([T1070.006])
- Defense Evasion - Obfuscated Files or Information: Software Packing ([T1027.002])
- Execution - Command and Scripting Interpreter: Unix Shell ([T1059.004])
- Impact - Resource Hijacking ([T1496]) (Cryptomining is observed)
- Resource Development - Compromise Infrastructure: Server ([T1584.004]) (Using compromised nodes as infrastructure)
## Targeting
- **Sectors:** General technology sector, given Selenium's widespread use in application testing environments across virtually all sectors.
- **Geography:** Not specified, as the targeting is based on infrastructure exposure rather than geographic location.
- **Victims:** Any organization utilizing misconfigured, publicly exposed Selenium Grid installations. The widespread nature of Selenium (present in >30% of cloud environments) suggests a broad potential victim pool.
## Tools & Infrastructure
- **Malware Families Used:**
- Modified **XMRig miner** (packed with custom UPX headers).
- **Python** (used to execute the reverse shell and deployment scripts).
- **Infrastructure:**
- **C2 Hosting Payload IPs (Defanged):**
- `164[.]90[.]149[.]104`: Ports 9022, 9021
- `192[.]241[.]144[.]69`: Port 4447
- **Mining Pool Proxy IPs (Defanged):**
- `165[.]22[.]195[.]35`: Port 443
- `165[.]227[.]63[.]241`: Port 443
- **Miner File Hashes (SHA256):**
- `6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab`
- `fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552`
- **Binary/Script Paths (on compromised systems):**
- Miner binary: `/bin/xm`
- Script path: `/bin/wxm`
## Implications
This activity highlights a critical supply chain and infrastructure misconfiguration risk stemming from the popular Selenium testing framework. Since Selenium Grid is designed for internal use and lacks default authentication, its exposure to the internet provides attackers with a direct, high-privilege remote command execution vector without needing traditional exploits. The objective is purely financially motivated (cryptomining) through resource hijacking, leading to performance degradation, increased cloud costs, and potential system instability on compromised nodes.
## Mitigations
- **Exposure Control:** Ensure Selenium Grid services are **never exposed directly to the internet**. They should ideally be restricted to internal testing networks.
- **Authentication/Access Control:** Implement robust network segmentation and firewall policies to restrict access to the Selenium Hub and Nodes.
- **Runtime Security:** Deploy runtime protection solutions capable of detecting anomalous process execution (like Python spawning reverse shells or downloading binary miners) originating from an application service like Selenium.
- **Monitoring:** Monitor egress traffic from Selenium environments for connections to known mining pools or suspicious C2 infrastructure.
- **Image Security:** If using Docker images (like `selenium/hub`), ensure they are scanned and that custom security layers are applied, as the default configuration is insecure for public exposure.