Selenium Grid Instances Exploited for Cryptomining

Share This Post

Cloud security giant Wiz has detailed a campaign in which threat actors have targeted exposed Selenium Grid instances for cryptocurrency mining.

Selenium Grid is a popular open source testing framework for web applications, enabling users to conduct tests that simulate user interactions across various browsers and environments. According to Wiz, Selenium is present in 30% of cloud environments and the official docker image has more than 100 million pulls in Docker Hub. 

The Selenium WebDriver API enables the automation of user interaction on web browsers, including remotely running commands and reading and downloading files. 

According to Wiz, cybercriminals noticed that authentication is not enabled by default for this API, allowing them to abuse internet-exposed instances. 

Selenium Grid developers have posted a warning on the project’s website, urging users to protect the service from external access, but Wiz found that there are more than 30,000 internet-exposed instances that can be targeted by hackers.

In the attacks observed by Wiz — the company tracks it as the SeleniumGreed campaign — threat actors have abused the WebDriver API to run Python with a reverse shell to deploy scripts designed to download a Monero cryptocurrency miner.

There is evidence that the campaign has been running for more than a year, but Wiz believes it’s the first to publicly document how the Selenium misconfiguration is being exploited by threat actors. 

“We witnessed the threat actor utilizing older versions of Selenium (v3.141.59) to run remote commands. However, we confirmed this is also possible on the latest versions (v4 and above) of Selenium Grid,” Wiz explained. 

Advertisement. Scroll to continue reading.

The cloud security firm shared its findings with threat intelligence firm GreyNoise, which found evidence that other mining campaigns are also leveraging exposed Selenium Grid instances. 

Wiz has made available indicators of compromise (IoCs) that can be used to detect SeleniumGreed attacks. Recommendations for defenders are also available.

Related: SAP AI Core Vulnerabilities Allowed Service Takeover, Customer Data Access

Related: Wiz Says 62% of AWS Environments Exposed to Zenbleed Exploitation

Related: Wiz to Pursue IPO as It Walks Away From $23 Billion Google Deal 

This post was originally published on this site

More Articles

Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.