Cybersecurity experts are raising concerns over a disturbing trend in which malicious actors are exploiting exposed Vulnerable Selenium Grid for unauthorized cryptocurrency mining. This ongoing campaign, tracked by cloud security firm Wiz under the name SeleniumGreed, is primarily targeting outdated versions of the Selenium automation tool and has been active since at least April 2023.
Exploited Vulnerable Selenium Grid
Selenium Grid, a component of the widely used Selenium testing framework, facilitates parallel test execution across various environments. However, it appears that many instances of Selenium Grid are inadequately secured. According to Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska, the Selenium WebDriver API provides extensive access to the host machine, including file reading, downloading, and command execution. Unfortunately, many older versions of Selenium Grid (3.141.59 and earlier) lack built-in authentication, leaving them vulnerable to exploitation.
The researchers emphasize that without proper firewall protections, these publicly accessible Selenium Grid instances are prone to unauthorized access. This misconfiguration allows attackers to exploit the service for nefarious purposes, including illicit cryptocurrency mining. The Selenium Grid project maintainers have warned that exposing the service to external access without appropriate safeguards could permit third parties to run arbitrary binaries and access sensitive internal data.
Mechanics of the Attack
The attack begins when adversaries target a vulnerable Selenium Grid hub by sending requests designed to execute Python scripts. These scripts contain Base64-encoded payloads that establish a reverse shell connection to an attacker-controlled server with the IP address “164.90.149[.]104.” Through this connection, the final payload—a modified version of the open-source XMRig miner—is delivered.
The modified XMRig miner is unique in that it does not hardcode the pool IP address but generates it dynamically during runtime. Additionally, the malware utilizes XMRig’s TLS fingerprint featurehttps://github.com/xmrig/xmrig/issues/758, which ensures that the miner only communicates with servers controlled by the threat actor. This technique enhances the attack’s stealth and effectiveness, making it harder for victims to detect and mitigate the intrusion.
Mitigation and Recommendations
Wiz has discovered over 30,000 exposed instances of Vulnerable Selenium Grid susceptible to remote command execution, highlighting the urgent need for remediation. The researchers stress that Selenium Grid was not designed for internet exposure, and its default settings lack authentication, which poses significant security risks if deployed on machines with public IP addresses.
To protect against such vulnerabilities, Wiz advises users to secure their Selenium Grid services by implementing stringent firewall policies and disabling unnecessary external access. Ensuring proper configuration and applying updates to the latest versions of Selenium can help mitigate the risk of such attacks.
As the cybersecurity landscape continues to evolve, it remains crucial for organizations to be vigilant about securing their testing frameworks and other exposed services to prevent unauthorized exploitation.
Also Read: Cyber Pro Magazine
