It's unclear exactly who is in charge of the attack operation at this time. But in this case, the threat actor targets Selenium Grid instances that are visible to the public and uses the WebDriver API to launch Python code that downloads and launches an XMRig miner. To execute a Python program containing a Base64-encoded payload that spawns a reverse shell to an attacker-controlled server to fetch the final payload—a modified version of the open-source XMRig miner—the adversary first sends a request to the vulnerable Selenium Grid hub.

They dynamically construct the pool IP at runtime rather than hardcoding it in the miner configuration. To guarantee that the miner will only communicate with servers under the threat actor's control, they also configured and incorporated XMRig's TLS-fingerprint capability. Given that it has also been discovered to run a publicly accessible Selenium Grid instance, it is believed that the IP address in question is part of a genuine service that has been compromised by the threat actor.

Users must immediately take action to address the misconfiguration since, according to researchers, over 30,000 instances of exposed remote command execution have been found, and it is feasible to execute remote commands on more recent versions of Selenium. Since Selenium Grid is not intended to be used online and by default does not enable authentication, any user with hub network access can use the API to communicate with the nodes. If the service is set up on a system with a public IP and insufficient firewall rules, this presents a serious security concern.

Impact

• Command Execution
• Cryptocurrency Theft
• Information Theft
• Unauthorized Access

Indicators of Compromise

MD5

• 861f7deb8926bb0c6d11f8e81d27b406
• 585fd7777074089aaa3c615169c18170

SHA-256

• 6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab
• fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552

SHA-1

• b64cb7dbf62eb8b9539cc1d7901a487a3fd7de9b
• 47560b0a57913d01614256e9150b6e6f5e758250

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.