Cybersecurity experts are raising the alert on an ongoing offense that is utilizing internet-exposed Selenium Grid services for unauthorized crypto mining.
The ongoing operation known as SeleniumGreed has been identified by Cloud security Wiz. This cyber campaign, focused on outdated versions of Selenium (3.141.59 and earlier), has been active since at least April 2023.
“Without the knowledge of many users, the Selenium WebDriver API provides complete control over the system, allowing for actions such as viewing and downloading files, and executing remote commands,” stated Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska in a blog post.
“By default, this service does not require authentication. Consequently, many publicly accessible instances are misconfigured and open to exploitation for malicious intentions.”
Selenium Grid, a component of the Selenium automated test suite, allows for simultaneous test execution across various workloads, browser types, and versions.
“It is crucial to protect Selenium Grid from external access by configuring appropriate firewall settings,” cautioned the project maintainers in a support document, emphasizing that failing to do so could enable unauthorized execution of code and access to internal web assets and documents.
The culprits behind this attack campaign remain unidentified. Nevertheless, it entails threat actors targeting publicly accessible installations of Selenium Grid and exploiting the WebDriver API to execute Python scripts responsible for downloading and running a customized version of the open-source XMRig miner.
The process begins with the attacker sending a request to the vulnerable Selenium Grid hub with the intention of executing a Python script containing a Base64-encoded payload that triggers a reverse connection to a server controlled by the attacker (“164.90.149[.]104”) to retrieve the final payload, a modified version of the XMRig miner.
“Instead of embedding the pool IP directly in the miner configuration, they generate it dynamically during execution,” elucidated the researchers. “Additionally, they introduce XMRig’s TLS-fingerprint functionality in the added code (and configuration), ensuring that the miner communicates solely with servers managed by the threat actor.”
The specified IP address is associated with a legitimate service that has been compromised by the threat actor, as it is found to host a publicly exposed instance of Selenium Grid.
Wiz mentioned the possibility of executing remote commands on newer Selenium versions and identified over 30,000 instances vulnerable to remote command execution, necessitating immediate action from users to rectify this misconfiguration.
“Selenium Grid was not designed for internet exposure, and its default setup lacks authentication, allowing any network-connected user to interact with nodes via the API,” highlighted the researchers.
“This presents a significant security hazard if the service is deployed on a system with a public IP address and inadequate firewall protection.”
About Author
