Adrian Johnson
TLDR:
- Threat actors exploiting Selenium Grid services for cryptomining.
- Attackers leverage ChromeOptions category and misconfigurations to inject cryptominers.
Threat actors have been actively exploiting Selenium Grid services for cryptomining, taking advantage of the computational resources available in the cloud. Cybersecurity analysts at Wiz have identified the “SeleniumGreed” campaign, where several thousand exposed Selenium Grid instances were discovered online, often misconfigured and easily exploitable. The attackers use techniques such as timestomping, nohup, UPX packing, and modification of the sudoers file to maintain persistence and avoid detection.
The attackers leverage the ChromeOptions category, especially misusing the settings of the Chrome binary path and add_argument method to execute malicious Python scripts on compromised systems. This allows for the creation of reverse shells and deployment of cryptominers. The campaign, running for more than a year, reveals significant vulnerabilities in exposed Selenium Grid installations, highlighting the importance of robust security measures during web application testing activities. Recommendations include implementing external network and vulnerability scanners, using runtime detection, applying network security controls with a firewall, allowing only trusted IP ranges, allowing traffic only to required endpoints, and enabling basic authentication for Selenium Grid instances.
It is crucial for organizations to secure their Selenium Grid deployments to withstand any attack, regardless of the version they are using. This vulnerability serves as a reminder of the ongoing threats in the cybersecurity landscape and the importance of proper security measures to protect against exploitation.
