• Posted by: Michael Johnson
• September 13, 2024

Unsecured Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking

Internet-exposed Selenium Grid servers are being targeted by cybercriminals for illicit cryptocurrency mining and proxyjacking operations, according to a new analysis by Cado Security researchers Tara Gould and Nate Bill.

Selenium Grid, a popular tool that allows for parallel execution of web testing across multiple browsers and versions, comes with a significant security vulnerability: its default configuration lacks authentication. This leaves it open to exploitation by malicious actors.

Cloud security firm Wiz first reported this issue in July 2024, naming the activity cluster "SeleniumGreed." Since then, Cado Security has observed two separate attack campaigns against their honeypot server. These campaigns exploit Selenium Grid’s authentication vulnerabilities to deploy malicious software.

In one campaign, the attackers use Selenium’s "goog
" feature to inject a Base64-encoded Python script. This script retrieves another script named "y," which is the open-source GSocket reverse shell. Once the reverse shell is active, the attackers introduce a further payload— a bash script called "pl"— that downloads two programs: IPRoyal Pawns and EarnFM, both of which enable proxyjacking.

IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth for profit. However, attackers hijack this service to turn compromised servers into proxies, potentially for malicious activities. Similarly, EarnFM is a proxyware service advertised as a way for users to generate passive income by sharing their internet connection.

In a second campaign, attackers also leverage the same initial attack route, using a Python script to deploy a bash script. This script checks if the compromised system is 64-bit and then drops a Golang-based ELF binary. The binary tries to escalate privileges by exploiting the well-known PwnKit vulnerability (CVE-2021-4043). Once escalated, it deploys XMRig, a widely-used cryptocurrency mining tool.

These attacks underscore the risks posed by misconfigured Selenium Grid instances, particularly in organizations that rely on the tool for web browser testing. Without proper authentication enabled, these servers can easily become targets for bad actors. Cado Security recommends that users immediately enable authentication for their Selenium Grid instances to prevent exploitation.