Web-exposed Selenium Grid cases are being focused by dangerous actors for illicit cryptocurrency mining and proxyjacking campaigns.
“Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions,” Cado Safety researchers Tara Gould and Nate Invoice stated in an evaluation printed right this moment.
“However, Selenium Grid’s default configuration lacks authentication, making it vulnerable to exploitation by threat actors.”
The abuse of publicly-accessible Selenium Grid cases for deploying crypto miners was beforehand highlighted by cloud safety agency Wiz in late July 2024 as a part of an exercise cluster dubbed SeleniumGreed.
Cado, which noticed two completely different campaigns towards its honeypot server, stated the risk actors are exploiting the shortage of authentication protections to hold out malicious actions.
The primary of them leverage the “goog:chromeOptions” dictionary to inject a Base64-encoded Python script that, in flip, retrieves a script named “y,” which is the open-source GSocket reverse shell.
The reverse shell subsequently serves as a medium for introducing the next-stage payload, a bash script named “pl” that retrieves IPRoyal Pawn and EarnFM from a distant server through curl and wget instructions.
“IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money,” Cado stated.
“The user’s internet connection is shared with the IPRoyal network with the service using the bandwidth as a residential proxy, making it available for various purposes, including for malicious purposes.”
EarnFM can also be a proxyware answer that is marketed as a “ground-breaking” method to “generate passive income online by simply sharing your internet connection.”
The second assault, just like the proxyjacking marketing campaign, follows the identical path to ship a bash script through a Python script that checks if it is working on a 64-bit machine after which proceeds to drop a Golang-based ELF binary.
The ELF file subsequently makes an attempt to escalate to root by leveraging the PwnKit flaw (CVE-2021-4043) and drops an XMRig cryptocurrency miner referred to as perfcc.
“As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors,” the researchers stated. “Users should ensure authentication is configured, as it is not enabled by default.”
