Cloud security giant Wiz has detailed a campaign in which threat actors have targeted exposed Selenium Grid instances for cryptocurrency mining.
Selenium Grid is a popular open source testing framework for web applications, enabling users to conduct tests that simulate user interactions across various browsers and environments. According to Wiz, Selenium is present in 30% of cloud environments and the official docker image has more than 100 million pulls in Docker Hub.
The Selenium WebDriver API enables the automation of user interaction on web browsers, including remotely running commands and reading and downloading files.
According to Wiz, cybercriminals noticed that authentication is not enabled by default for this API, allowing them to abuse internet-exposed instances.
Selenium Grid developers have posted a warning on the project’s website, urging users to protect the service from external access, but Wiz found that there are more than 30,000 internet-exposed instances that can be targeted by hackers.
In the attacks observed by Wiz — the company tracks it as the SeleniumGreed campaign — threat actors have abused the WebDriver API to run Python with a reverse shell to deploy scripts designed to download a Monero cryptocurrency miner.
There is evidence that the campaign has been running for more than a year, but Wiz believes it’s the first to publicly document how the Selenium misconfiguration is being exploited by threat actors.
“We witnessed the threat actor utilizing older versions of Selenium (v3.141.59) to run remote commands. However, we confirmed this is also possible on the latest versions (v4 and above) of Selenium Grid,” Wiz explained.
The cloud security firm shared its findings with threat intelligence firm GreyNoise, which found evidence that other mining campaigns are also leveraging exposed Selenium Grid instances.
Wiz has made available indicators of compromise (IoCs) that can be used to detect SeleniumGreed attacks. Recommendations for defenders are also available.
Related: SAP AI Core Vulnerabilities Allowed Service Takeover, Customer Data Access
Related: Wiz Says 62% of AWS Environments Exposed to Zenbleed Exploitation
Related: Wiz to Pursue IPO as It Walks Away From $23 Billion Google Deal