TLDR:
- Cyberattack targeting older versions of Selenium for crypto mining
- Threat actors using Selenium Grid services for illicit activities
Cybersecurity researchers are warning about an ongoing campaign, named SeleniumGreed, that targets exposed Selenium Grid services for cryptocurrency mining. The campaign, active since April 2023, exploits older versions of Selenium to run malicious Python code responsible for downloading and running an XMRig miner. It’s crucial for users to secure their Selenium Grid instances to prevent unauthorized access and potential attacks.
Full Article:
Cybersecurity researchers have identified an ongoing campaign that is exploiting internet-exposed Selenium Grid services for illicit cryptocurrency mining. The campaign, known as SeleniumGreed, is reportedly targeting older versions of Selenium and has been active since at least April 2023. Researchers at cloud security firm Wiz have highlighted the risks posed by this campaign, as the Selenium WebDriver API allows full interaction with the machine, enabling threat actors to run malicious code.
By default, many publicly accessible instances of Selenium Grid are misconfigured and lack authentication, making them vulnerable to abuse. The attackers behind this campaign are using the WebDriver API to execute Python code that downloads and runs an XMRig miner. The use of dynamic IP generation and TLS-fingerprinting ensures that the miner only communicates with servers controlled by the threat actor.
The attackers target publicly exposed instances of Selenium Grid and leverage the API to execute remote commands and deploy the XMRig miner. It’s crucial for organizations to secure their Selenium Grid instances to prevent unauthorized access and potential crypto mining activities.
Researchers have identified more than 30,000 instances of Selenium Grid exposed to remote command execution, highlighting the urgent need for users to address misconfigurations and secure their environments. Selenium Grid must be protected from external access using firewall permissions to prevent unauthorized interactions with nodes via the API.