Selenium Grid instances exposed to the internet have been targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.
“Selenium Grid is a server that makes it easy to run test cases in parallel across different browsers and versions,” Cado Security researchers Tara Gould and Nate Bill wrote in an analysis published today.
“However, Selenium Grid’s default configuration lacks authentication, making it vulnerable to exploitation by threat actors.”
The act of exploiting publicly accessible Selenium Grid instances to deploy cryptocurrency miners was previously noted by cloud security firm Wiz in late July 2024 as part of a cluster of activity dubbed SeleniumGreed.
Cado said it has observed two separate attacks against its honeypot servers, with threat actors exploiting the lack of authentication protections to carry out a range of malicious activities.
The first one utilizes the “goog:chromeOptions” dictionary to inject a Base64-encoded Python script, then retrieves a script named “y”, which is an open-source GSocket reverse shell.
The reverse shell then acts as a medium to introduce the next stage payload, a bash script named “pl” that uses curl and wget commands to retrieve IPRoyal Pawn and EarnFM from a remote server.
“IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money,” Cado said.
“Users’ internet connections are shared with the IPRoyal network and the service uses bandwidth as a residential proxy, making it available for a variety of purposes, including malicious ones.”
EarnFM is also a proxyware solution that is being touted as a “groundbreaking” way to generate passive income online simply by sharing your internet connection.
The second attack follows the same route as the proxyjacking campaign, delivering a bash script via a Python script that checks if it is being run on a 64-bit machine before dropping a Golang-based ELF binary.
The ELF file then attempts to escalate to root privileges by exploiting a PwnKit vulnerability (CVE-2021-4043) and drops an XMRig cryptocurrency miner called perfcc.
“Many organizations utilize Selenium Grid for web browser testing, and this attack further highlights how misconfigured instances can be exploited by threat actors,” the researchers said. “Users should ensure that authentication is configured, as authentication is not enabled by default.”
