Cybersecurity researchers have recently uncovered an ongoing campaign exploiting exposed Selenium Grid services to facilitate illicit cryptocurrency mining. The operation, identified as SeleniumGreed, specifically targets outdated versions of the Selenium Grid framework (version 3.141.59 and earlier) that lack default authentication, making them vulnerable to exploitation. Selenium Grid, part of the Selenium automated testing suite, is designed to execute tests across various environments in parallel, but its default configuration leaves it exposed to potential abuse if not properly secured.
The attackers behind SeleniumGreed leverage the WebDriver API, which, when misconfigured, allows them to interact with and control the host machine. By sending requests to vulnerable Selenium Grid hubs, the attackers execute a Python script that includes a Base64-encoded payload. This payload spawns a reverse shell connecting to an attacker-controlled server, from which the final payload, a modified version of the open-source XMRig miner, is downloaded and executed. The miner is configured to dynamically generate pool IP addresses and use TLS-fingerprint features to ensure communication only with servers under the attacker’s control.
This malicious activity has been ongoing since at least April 2023, and researchers from cloud security firm Wiz have identified over 30,000 instances of Selenium Grid exposed to remote command execution. The lack of authentication in these instances, combined with inadequate firewall policies, poses a significant security risk. The exposed Grid services allow unauthorized users to interact with the nodes and execute arbitrary commands, which facilitates the deployment of cryptocurrency mining software and can lead to system compromise.
To mitigate these risks, experts urge users to implement proper firewall configurations and restrict access to Selenium Grid instances. Since the service is not intended to be exposed to the internet, securing it behind appropriate firewall rules is crucial to prevent unauthorized access. Organizations should also consider updating to newer versions of Selenium Grid that include improved security features and authentication mechanisms to safeguard against such vulnerabilities.
Reference:
