Cybersecurity researchers sound the alarm over a campaign that uses information about the Internet Selenium Grid Services for illegal cryptocurrency mining.
Cloud Security Wiz tracks activity under name SeleniumGrad. A campaign targeting older versions of Selenium (3.141.59 and earlier) is believed to be ongoing at least from April 2023.
“What most users don’t know is that the Selenium WebDriver API provides full interaction with the machine itself, including reading and downloading files and executing remote commands,” Wiz researchers Avigail Mechtinger, Gilly Tikaczynski, and Dor Laska said.
“By default, authentication is not enabled for this service. This means that many public instances are misconfigured and can be accessed by anyone and used for malicious purposes.”
Selenium Grid, part of the Selenium automated testing system, provides parallel execution of tests for multiple workloads, different browsers, and different browser versions.
“Selenium Grid must be protected from external access with appropriate firewall permissions,” project staff to warn in the supporting documentation, which states that otherwise third parties can run arbitrary binaries and access internal web applications and files.
Who exactly is behind the attack is still unknown. However, it includes a threat that targets publicly exposed instances of Selenium Grid and uses the WebDriver API to run the Python code responsible for loading and running the XMRig miner.
Begins with an adversary sending a request to a Selenium Grid vulnerability to execute a Python program containing a Base64-encoded payload that creates a reverse shell to an attacker-controlled server (“164.90.149(.)104”) to retrieve the final payload, a modified version open source XMRig miner.
“Instead of hard-coding the pool’s IP address into the miner’s configuration, they dynamically generate it at runtime,” the researchers explained. “They also installed XMRig’s TLS fingerprint feature in the added code (and in the configuration), ensuring that the miner will only communicate with servers controlled by the threat actor.”
The IP address in question is said to belong to a legitimate service that was compromised by the threat actor as it was found to contain a publicly exposed instance of Selenium Grid.
Wiz said that remote command execution is possible on newer versions of Selenium and that he has identified more than 30,000 instances that are vulnerable to remote command execution, making it imperative that users take steps to fix the misconfiguration.
“Selenium Grid is not designed for Internet access, and its default configuration does not enable authentication, so any user with network access to the hub can interact with the nodes via the API,” the researchers said.
“This creates a significant security risk if the service is deployed on a machine with a public IP that has an inadequate firewall policy.”
