HQ/EMEAFind out how we can help your business
Hackers have an ongoing Monero cryptomining campaign involving exploiting a misconfigured Selenium Grid server. Based on reports, these attackers abuse this web app testing platform to deploy a customised XMRig tool for mining cryptocurrency.
This platform is known for allowing developers to automate testing across numerous workstations and browsers. Moreover, users utilise it in cloud environments since it has over 100 million pulls on Docker Hub.
Researchers stated that the malicious activity called SeleniumGreed has been ongoing for over a year and exploits the platform’s insufficient authentication protocol in its default setup.
The exploit on Selenium Grid is possible due to a lack of authentication features.
Selenium Grid does not have an authentication mechanism enabled by default, allowing anyone to visit app-testing instances, acquire files, and run commands since it is a publicly accessible service.
Selenium’s alert warns about the risks of internet-exposed instances, encouraging users who want remote access to set up a firewall to stop unauthorised access. However, this warning is still not a sufficient parameter to avoid misconfiguration on a larger scale.
The researchers also explained that the attackers use the Selenium WebDriver API to alter Chrome’s default binary path in the targeted instance to the Python interpreter. Next, they use the ‘add_argument’ method to include a base64-encoded Python script as an argument.
Once the WebDriver receives a request to open Chrome, it uses the Python interpreter to execute the specified script. The Python script then generates a reverse shell, providing the attackers with nearly remote access to the compromised instance.
Subsequently, the hackers use the Selenium user (‘seluser’), who can run sudo commands without a password, to install a custom XMRig miner on the infected instance and construct it to work in the background.
Lastly, the attackers employed compromised Selenium node workloads as intermediate C2 servers for further infections and mining pool proxies to bypass security detection.
The attackers are targeting earlier versions of Selenium, explicitly starting in v3.141.59. However, researchers confirmed that the exploitation still works on versions newer than version 4.
These attackers’ techniques will likely bypass discovery by focusing on less configured and monitored instances. Therefore, users should be more attentive to these vulnerable instances to avoid or mitigate the effect of this new cryptomining campaign.
