Cybersecurity researchers are raising the alarm about an ongoing campaign that is using exposed Selenium Grid services to mine illegal cryptocurrency.
Cloud Security Whiz tracks activity under the name Selenium GridThe attack targets older versions of Selenium (before 3.141.59) and is believed to have been running since at least April 2023.
“Unbeknownst to most users, the Selenium WebDriver API allows for full interaction with the machine itself, including reading and downloading files and executing remote commands,” said Wiz researchers Avigayil Mechtinger, Gili Tikochinski and Dor Laska.
“By default, the service does not enable authentication, which means that many public-facing instances are misconfigured and can be accessed and exploited for malicious purposes by anyone.”
Selenium Grid, part of the Selenium automated testing framework, enables you to run tests in parallel across multiple workloads, different browsers, and different browser versions.
“Selenium Grid must be protected from external access with appropriate firewall permissions,” the project’s maintainers warn in a support document, saying that failing to do so could allow third parties to execute arbitrary binaries and gain access to internal web applications and files.
It is currently unknown who is behind this attack campaign, but the threat actors are targeting publicly available instances of Selenium Grid and leveraging the WebDriver API to execute Python code that downloads and executes the XMRig miner.
First, the attacker sends a request to a vulnerable Selenium Grid hub and executes a Python program containing a Base64-encoded payload in order to spawn a reverse shell on an attacker-controlled server (“164.90.149(.)104”) and retrieve the final payload (a modified version of the open-source XMRig miner).
“Instead of hard-coding pool IPs in the miner’s configuration, we dynamically generate them at runtime,” the researchers explain. “We also configure XMRig’s TLS fingerprinting functionality within the added code (and in the configuration) to ensure the miner only communicates with servers controlled by the threat actor.”
The IP addresses in question are said to belong to legitimate services that have been compromised by the threat actors and have also been found to host publicly-available Selenium Grid instances.
Wiz said that newer versions of Selenium allow for remote command execution and that they have identified over 30,000 instances exposed to remote command execution, so users should take steps to fix misconfigurations.
“Selenium Grid is not designed to be exposed to the internet and the default configuration does not enable authentication, allowing anyone with network access to the hub to interact with the nodes via APIs,” the researchers said.
“This service poses a significant security risk if deployed on a machine with a public IP that has insufficient firewall policies.”
