Cybersecurity researchers are warning about an ongoing campaign that is exploiting internet-exposed Selenium Grid services for unauthorized cryptocurrency mining.
Cloud security company Wiz has identified the campaign, known as SeleniumGreed. It is targeting older versions of Selenium (3.141.59 and earlier) and is believed to have started as early as April 2023, according to reports.
“Selenium WebDriver API allows full access to the machine, including file reading and downloading, and remote command execution, which many users are not aware of,” explained Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska in a blog post.
“Due to lack of authentication by default, many publicly accessible Selenium instances are improperly configured and can be exploited for malicious activities.”
Selenium Grid, a component of the Selenium testing framework, allows for parallel test execution across different browsers and versions.
“Selenium Grid should not be publicly accessible and proper firewall permissions should be in place,” warn the project maintainers in their documentation. Failure to secure it could lead to unauthorized access to internal applications and files.
The identity of the attackers behind this campaign is unknown, but they are exploiting publicly exposed Selenium Grid instances and using the WebDriver API to run Python code that downloads and executes an XMRig miner.
The attack begins with a request to a vulnerable Selenium Grid hub to execute a Python program that spawns a reverse shell to an attacker-controlled server (“164.90.149[.]104”) to fetch the modified XMRig miner.
According to the researchers, the attackers dynamically generate the miner’s pool IP at runtime and ensure communication only with servers under their control using TLS fingerprinting.
The IP address in question belongs to a legitimate service compromised by the attackers and hosts a publicly accessible Selenium Grid instance.
Wiz has identified over 30,000 instances of remote command execution on newer versions of Selenium, highlighting the need for securing these misconfigured setups.
“Selenium Grid lacks authentication and can be accessed by anyone with network access, posing a significant security risk if deployed on a machine with inadequate firewall protection,” cautioned the researchers.
It is crucial for users to address these vulnerabilities to prevent unauthorized access and potential exploitation.
