Cybersecurity researchers are sounding the alarm over an ongoing marketing campaign that is leveraging internet-exposed Selenium Grid providers for illicit cryptocurrency mining.
Cloud security Wiz is monitoring the exercise below the identify SeleniumGreed. The marketing campaign, which is concentrating on older variations of Selenium (3.141.59 and prior), is believed to be underway since a minimum of April 2023.
“Unbeknownst to most customers, Selenium WebDriver API permits full interplay with the machine itself, together with studying and downloading information, and working distant instructions,” Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska mentioned.
“By default, authentication is just not enabled for this service. Which means that many publicly accessible cases are misconfigured and will be accessed by anybody and abused for malicious functions.”
Selenium Grid, a part of the Selenium automated testing framework, permits parallel execution of exams throughout a number of workloads, totally different browsers, and varied browser variations.
“Selenium Grid have to be protected against exterior entry utilizing applicable firewall permissions,” the undertaking maintainers warn in a assist documentation, stating that failing to take action may permit third-parties to run arbitrary binaries and entry inner net purposes and information.
Precisely who’s behind the assault marketing campaign is presently not identified. Nonetheless, it includes the menace actor concentrating on publicly uncovered cases of Selenium Grid and making use of the WebDriver API to run Python code liable for downloading and working an XMRig miner.
It begins with the adversary sending a request to the weak Selenium Grid hub with an goal to execute a Python program containing a Base64-encoded payload that spawns a reverse shell to an attacker-controlled server (“164.90.149[.]104”) as a way to fetch the ultimate payload, a modified model of the open-source XMRig miner.
“As an alternative of hardcoding the pool IP within the miner configuration, they dynamically generate it at runtime,” the researchers defined. “Additionally they set XMRig’s TLS-fingerprint characteristic inside the added code (and inside the configuration), guaranteeing the miner will solely talk with servers managed by the menace actor.”
The IP deal with in query is alleged to belong to a respectable service that has been compromised by the menace actor, because it has additionally been discovered to host a publicly uncovered Selenium Grid occasion.
Wiz mentioned it is attainable to execute distant instructions on newer variations of Selenium and that it recognized greater than 30,000 cases uncovered to distant command execution, making it crucial that customers take steps to shut the misconfiguration.
“Selenium Grid is just not designed to be uncovered to the web and its default configuration has no authentication enabled, so any person that has community entry to the hub can work together with the nodes through API,” the researchers mentioned.
“This poses a major security danger if the service is deployed on a machine with a public IP that has insufficient firewall coverage.”
