Security researchers have identified an ongoing threat campaign known as SeleniumGreed, targeting internet-exposed Selenium Grid services for unauthorized cryptocurrency mining [1] [2] [3].

Description

This campaign exploits older versions of Selenium Grid lacking default security controls, allowing threat actors to interact with machines, download files [1], and execute remote commands without authentication [1]. By sending requests to vulnerable Selenium Grid hubs [2], attackers deploy a Python script with a Base64-encoded payload that spawns a reverse shell connecting to an attacker-controlled server [2]. They then download and execute a modified XMRig miner with custom UPX headers on compromised nodes, using them as a command-and-control (C2) for hosting payloads and mining pool proxies. With over 30,000 instances of exposed Selenium Grid identified [2], this campaign has been active since at least April 2023 [1] [2]. To mitigate risks, users must secure their Selenium Grid instances with proper firewall configurations, access restrictions, and updating to newer versions with improved security features and authentication mechanisms [2].

Conclusion

The SeleniumGreed campaign underscores the dangers of exposing internal testing tools online and highlights the importance of network separation and robust security controls during web application testing activities. Mitigating this threat requires securing Selenium Grid instances to prevent unauthorized access and potential abuse for malicious purposes [1]. Future implications include the need for continued vigilance and proactive measures to protect against evolving cybersecurity threats.

References

[1] https://thehackernews.com/2024/07/ongoing-cyberattack-targets-exposed.html
[2] https://cybermaterial.com/cyberattack-targets-exposed-selenium-grid/
[3] https://cyber.vumetric.com/security-news/2024/07/26/ongoing-cyberattack-targets-exposed-selenium-grid-services-for-crypto-mining/