Malevolent actors are focusing on openly exposed Selenium Grid servers for unlawful cryptocurrency mining and proxyjacking schemes.
As per an analysis released today by Cado Security researchers Tara Gould and Nate Bill, “Selenium Grid serves as a server enabling the execution of test cases concurrently across various browsers and versions.”
“Nevertheless, default setup of Selenium Grid lacks verification, thus rendering it susceptible to exploitation by malicious entities.”
Omnipresent utilization of publicly reachable Selenium Grid servers for deploying cryptocurrency miners was formerly highlighted by Wiz cloud security firm in late July 2024 within an activity conglomerate labeled SeleniumGreed.
Observing two distinct campaigns targeted at its honeypot server, Cado mentioned that malevolent entities are leveraging the absence of verification measures to execute malevolent operations.
The prime approach employs the “goog:chromeOptions” dictionary to infuse a Base64-encoded Python script that subsequently fetches a script labeled “y,” which constitutes the open-source GSocket reverse shell.
The reverse shell subsequently acts as an intermediary for introducing the following-stage payload, a bash script called “pl” that retrieves IPRoyal Pawn and EarnFM from a remote server utilizing curl and wget commands.
“IPRoyal Pawns offers a residential proxy service enabling users to barter their internet bandwidth for monetary gains,” according to Cado.
“The user’s internet connection is shared with the IPRoyal network allowing the service to utilize the bandwidth as a residential proxy, thus rendering it accessible for various intents, including malicious ones.”
EarnFM is likewise a proxyware solution marketed as a revolutionary approach to “generate passive income online by merely distributing your internet connection.”
The secondary assault, akin to the proxyjacking initiative, takes a parallel path to dispatch a bash script through a Python script that validates its operation on a 64-bit machine before proceeding to deploy a Golang-based ELF binary.
The ELF file subsequently endeavors to elevate to root privileges leveraging the PwnKit vulnerability (CVE-2021-4043) and installs an XMRig cryptocurrency miner identified as perfcc.
“Considering numerous organizations rely on Selenium Grid for browser testing, this campaign further accentuates how improperly configured instances may be exploited by malevolent actors,” highlighted the researchers. “It’s crucial for users to configure authentication since it’s not enabled by default.”
About Author
