Cybersecurity researchers are sounding the alarm over an ongoing marketing campaign that is leveraging internet-exposed Selenium Grid products and services for illicit cryptocurrency mining.
Cloud safety Wiz is monitoring the job below the identify SeleniumGreed. The marketing campaign, which is concentrated on older variations of Selenium (3.141.59 and prior), is assumed to be underway since no less than April 2023.
“Unbeknownst to maximum customers, Selenium WebDriver API allows complete interplay with the gadget itself, together with studying and downloading recordsdata, and operating far flung instructions,” Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska stated.
“By means of default, authentication isn’t enabled for this provider. Which means many publicly out there cases are misconfigured and will also be accessed through someone and abused for malicious functions.”
Selenium Grid, a part of the Selenium automatic trying out framework, allows parallel execution of checks throughout more than one workloads, other browsers, and quite a lot of browser variations.
“Selenium Grid should be secure from exterior get entry to the use of suitable firewall permissions,” the challenge maintainers warn in a fortify documentation, mentioning that failing to take action may just permit third-parties to run arbitrary binaries and get entry to inside internet programs and recordsdata.
Precisely who’s at the back of the assault marketing campaign is these days now not identified. Then again, it comes to the risk actor concentrated on publicly uncovered cases of Selenium Grid and applying the WebDriver API to run Python code liable for downloading and operating an XMRig miner.
It begins with the adversary sending a request to the inclined Selenium Grid hub with an goal to execute a Python program containing a Base64-encoded payload that spawns a opposite shell to an attacker-controlled server (“164.90.149[.]104”) in an effort to fetch the overall payload, a changed model of the open-source XMRig miner.
“As an alternative of hardcoding the pool IP within the miner configuration, they dynamically generate it at runtime,” the researchers defined. “In addition they set XMRig’s TLS-fingerprint function inside the added code (and inside the configuration), making sure the miner will best keep up a correspondence with servers managed through the risk actor.”
The IP cope with in query is alleged to belong to a sound provider that has been compromised through the risk actor, because it has additionally been discovered to host a publicly uncovered Selenium Grid example.
Wiz stated it is conceivable to execute far flung instructions on more moderen variations of Selenium and that it known greater than 30,000 cases uncovered to far flung command execution, making it crucial that customers take steps to near the misconfiguration.
“Selenium Grid isn’t designed to be uncovered to the information superhighway and its default configuration has no authentication enabled, so any consumer that has community get entry to to the hub can engage with the nodes by the use of API,” the researchers stated.
“This poses a vital safety chance if the provider is deployed on a gadget with a public IP that has insufficient firewall coverage.”