Cybersecurity researchers are raising urgent concerns over a troubling campaign exploiting internet-exposed Selenium Grid services for unauthorized cryptocurrency mining. This activity, tracked by cloud security firm Wiz under the name SeleniumGreed, targets outdated versions of Selenium, specifically those released before 3.141.59, and has reportedly been active since at least April 2023.
Wiz’s researchers, Avigayil Mechtinger, Gili Tikochinski, and Dor Laska, highlighted a critical vulnerability; the Selenium WebDriver API allows comprehensive interactions with host machines, such as reading files, executing remote commands, and downloading software. The alarming lack of authentication by default for this service leaves numerous openly accessible instances misconfigured and susceptible to abuse by malicious actors.
Selenium Grid, a component of the Selenium automated testing framework, facilitates the simultaneous execution of tests across various workloads and browser configurations. However, if improper firewall protections are not established, it can become an easy target for intruders. The project maintainers emphasize the importance of safeguarding Selenium Grid against external access, warning that negligence in this area could allow adversaries to run arbitrary binaries and exploit internal applications.
The perpetrating group behind this campaign remains unidentified, but evidence suggests they are targeting publicly accessible Selenium Grid instances. By utilizing the WebDriver API, the attackers deploy Python scripts that initiate the download and execution of an XMRig cryptocurrency miner. In a compromised instance, the attackers send requests to the vulnerable hub, running a Python program laden with a Base64-encoded payload designed to establish a reverse shell connection to a server under their control.
Research indicates that the command-and-control server linked to these activities is a legitimate service that has also been found to host a publicly exposed Selenium Grid instance. The researchers discovered over 30,000 instances susceptible to remote command execution, underscoring the pressing need for users to rectify misconfigurations. Wiz warns that, by default, Selenium Grid permits network access to any user accessing the hub, creating a significant security risk if the service is deployed on systems with public IP addresses and insufficient firewall policies.
In light of these concerns, a July 31, 2024 advisory from Selenium urged users to upgrade to the latest version to mitigate potential threats. The recommendation aligns with their design principle that emphasizes placing their service behind a secure network to fend off potential misuse. They further suggested utilizing cloud providers to run Selenium Grid instances, enhancing security by limiting direct exposure to the internet.
In summary, this ongoing campaign represents a sophisticated exploitation of misconfigured cloud resources, with attackers leveraging the Selenium Grid’s inherent vulnerabilities to covertly mine cryptocurrencies. Business owners, particularly those relying on Selenium for testing, are strongly advised to reassess their security configurations and implement necessary updates to protect against these emerging threats. The context of this incident aligns with multiple MITRE ATT&CK tactics, such as initial access through vulnerabilities, persistence via malicious payloads, and the privilege escalation achieved through misconfigured services.
