Threat Actors Exploiting Selenium Grid Services For Cryptomining

Threat actors often exploit the cloud services for cryptomining, as doing so allows them to abuse the huge computational resources available. 

This enables them to significantly maximize their mining efficiency without bearing any cost.

Cybersecurity analysts at Wiz recently identified that threat actors had been actively exploiting the Selenium Grid services for cryptomining.

Selenium Grid Services For Cryptomining

The Selenium Grid services are exploited in the “SeleniumGreed” campaign to inject cryptominers.

Grid is part of Selenium, a popular web application testing suite that allows complete interaction with host machines without default security controls.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Several thousand exposed Selenium Grid instances were discovered online, often misconfigured and easily exploitable.

Selenium Grid architecture (Source – Wiz Research)

For C2 hosting and as the attackers use mining pool proxies, compromised nodes through Selenium WebDriver API inserting Python reverse shells deploying modified XMRig miners.

It shows the dangers inherent in exposing internal tools for testing on the web and stresses that using Selenium Grid requires proper security measures. 

The attackers leverage the ChromeOptions category, especially misusing the settings of the Chrome binary path and add_argument method to execute malicious Python scripts on compromised systems.

This vector of attack enables for the creation of reverse shells in addition to deploying cryptominers. Here below we have listed out all the techniques used:-

  • Timestomping for modification of file creation dates.
  • Employment of nohup to maintain execution that is persistent.
  • Custom UPX packing with a “CATS” header to avoid detection.
  • Modification of the sudoers file to limit access for other attackers.

While this campaign makes use of hijacked legitimate services for hosting payloads and miners that act as mining pool proxies.

Miners are set up with changing pool IP generation and individualized TLS fingerprinting, which ensures communication only with servers controlled by the attacker.

Exploit process tree (Source – Wiz Research)

This campaign, running for more than a year, reveals significant vulnerabilities in exposed Selenium Grid installations, underpinning the need for robust security measures during web application testing activities.

The ongoing nature of such threats highlights the importance of ensuring proper configuration and network separation between these test tools.

None of the Selenium Grid versions without proper authentication and network security are safe from remote command execution.

The “SeleniumGreed” campaign was primarily aimed at Selenium v3.141.59, though this threat could evolve to target its later versions. Wiz researchers said some other attackers might direct their attack toward newer versions, too.

This vulnerability reminds us that all Selenium Grid deployments must be secure enough to withstand any attack, regardless of what version they use.

Recommendations

Here below we have mentioned all the recommendations:-

  • Implement external network and vulnerability scanners.
  • Use runtime detection.
  • Apply network security controls with a firewall.
  • Allow only trusted IP ranges.
  • Allow traffic only to required endpoints.
  • Enable basic authentication for Selenium Grid instances.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

The post Threat Actors Exploiting Selenium Grid Services For Cryptomining appeared first on Cyber Security News.