Cybersecurity researchers are sounding the alarm over an ongoing marketing campaign that is leveraging internet-exposed Selenium Grid providers for illicit cryptocurrency mining.
Cloud safety agency Wiz is monitoring the exercise underneath the identify SeleniumGreed. The marketing campaign, which is concentrating on older variations of Selenium (3.141.59 and prior), is believed to be underway since not less than April 2023.
“Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands,” Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska mentioned.
“By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and abused for malicious purposes.”
Selenium Grid, a part of the Selenium automated testing framework, permits parallel execution of exams throughout a number of workloads, completely different browsers, and numerous browser variations.
“Selenium Grid must be protected from external access using appropriate firewall permissions,” the mission maintainers warn in a help documentation, stating that failing to take action might permit third-parties to run arbitrary binaries and entry inside net purposes and information.
Precisely who’s behind the assault marketing campaign is at present not identified. Nonetheless, it entails the menace actor concentrating on publicly uncovered situations of Selenium Grid and making use of the WebDriver API to run Python code answerable for downloading and working an XMRig miner.
It begins with the adversary sending a request to the weak Selenium Grid hub with an purpose to execute a Python program containing a Base64-encoded payload that spawns a reverse shell to an attacker-controlled server (“164.90.149[.]104”) so as to fetch the ultimate payload, a modified model of the open-source XMRig miner.
“Instead of hardcoding the pool IP in the miner configuration, they dynamically generate it at runtime,” the researchers defined. “They also set XMRig’s TLS-fingerprint feature within the added code (and within the configuration), ensuring the miner will only communicate with servers controlled by the threat actor.”
The IP tackle in query is claimed to belong to a respectable service that has been compromised by the menace actor, because it has additionally been discovered to host a publicly uncovered Selenium Grid occasion.
Wiz mentioned it is attainable to execute distant instructions on newer variations of Selenium and that it recognized greater than 30,000 situations uncovered to distant command execution, making it crucial that customers take steps to shut the misconfiguration.
“Selenium Grid is not designed to be exposed to the internet and its default configuration has no authentication enabled, so any user that has network access to the hub can interact with the nodes via API,” the researchers mentioned.
“This poses a significant security risk if the service is deployed on a machine with a public IP that has inadequate firewall policy.”