Selenium Grid instances exposed on the Internet are targeted by attackers for illegal cryptocurrency mining and proxyjacking companies.
“Selenium Grid is a server that makes it easy to run tests in parallel across browsers and versions,” Cado Security researchers Tara Gould and Nate Beal said in an analysis published today.
“However, Selenium Grid’s default configuration lacks authentication, making it vulnerable to exploits by threats.”
The misuse of public Selenium Grid instances to deploy cryptominers was previously reported by cloud security company Wiz in late July 2024 as part of a cluster of activity called SeleniumGrad.
Cado, which monitored two different campaigns against its honeypot server, said threat actors are exploiting the lack of authentication protections to carry out malicious activities.
The first one uses “goog:chromeOptions” dictionary to input a Base64-encoded Python script, which in turn retrieves a script called “y” which is open source GSocket reverse shell.
The reverse shell then serves as a means to inject the payload of the next stage, a bash script called “pl” that retrieves IPRoyal Pawn and EarnFM from the remote server via the curl and wget commands.
“IPRoyal Pawns is a residential proxy service that allows users to sell Internet bandwidth in exchange for money,” Kado said.
“A user’s Internet connection is shared with IPRoyal’s network by a service that uses bandwidth as a residential proxy server, making it available for various purposes, including malicious purposes.”
EarnFM is also a proxy solution that is advertised as an “innovative” way to “earn passive income online by simply using your internet connection.”
The second attack, like the proxyjacking campaign, follows the same route to deliver a bash script via a Python script that checks if it runs on a 64-bit machine and then proceeds to delete the Golang-based ELF binary.
The ELF file then tries to go to root using PwnKit flaw (CVE-2021-4043) and removes the XMRig cryptocurrency miner called perfcc.
“As many organizations rely on Selenium Grid to test web browsers, this campaign further highlights how misconfigured instances can be abused by threat actors,” the researchers said. “Users should ensure that authentication is configured as it is not enabled by default.”
