News

Ongoing Cyber ​​Attack Targets Selenium Grid’s Exposed Cryptocurrency Mining Services

Published

4 months ago

on

July 26, 2024Pressroom

Cybersecurity researchers are warning about an ongoing campaign that exploits vulnerabilities exposed to the Internet Selenium Grid Services for the illicit mining of cryptocurrencies.

Cloud security firm Wiz is monitoring activity under the name SeleniumGreedThe campaign, which targets older versions of Selenium (3.141.59 and earlier), is believed to be ongoing at least from April 2023.

“Unknown to most users, the Selenium WebDriver API allows full interaction with the machine itself, including reading and downloading files and executing remote commands,” said researchers Wiz Avigayil Mechtinger, Gili Tikochinski, and Dor Laska. She said.

“By default, authentication is not enabled for this service. This means that many publicly accessible instances are misconfigured and can be accessed by anyone and misused for malicious purposes.”

Selenium Grid, part of the Selenium automated testing framework, enables parallel execution of tests across multiple workloads, multiple browsers, and multiple browser versions.

“Selenium Grid must be protected from external access using appropriate firewall permissions,” said project leaders advise in a supporting documentation, stating that failure to comply with this policy could allow third parties to execute arbitrary binaries and access web applications and internal files.

It is currently unknown who is behind the attack campaign. However, it involves the threat actor targeting publicly exposed Selenium Grid instances and using the WebDriver API to execute Python code responsible for downloading and running an XMRig miner.

It all starts with the adversary sending a request to the vulnerable Selenium Grid hub with the goal of executing a Python program containing a Base64 encoded payload that generates a reverse shell on a server controlled by the attacker (“164.90.149[.]104”) to retrieve the final payload, a modified version of the open source miner XMRig.

“Instead of hard-coding the pool IP in the miner’s configuration, they dynamically generate it at runtime,” the researchers explained. “They also set XMRig’s TLS-fingerprint capability in the added code (and configuration), ensuring that the miner only communicates with servers controlled by the threat actor.”

The IP address in question is said to belong to a legitimate service that has been compromised by the threat actor, as it was also found to host a publicly exposed Selenium Grid instance.

Wiz said that remote command execution is possible on the latest versions of Selenium and that over 30,000 instances exposed to remote command execution have been identified, making it imperative that users take steps to address the misconfiguration.

“Selenium Grid is not designed to be exposed to the Internet and its default configuration does not have any authentication enabled, so any user with access to the hub network can interact with nodes via APIs,” the researchers said.

“This poses a significant security risk if the service is deployed on a machine with a public IP address that has an inadequate firewall policy.”

Did you find this article interesting? Follow us on Chirping AND LinkedIn to read more exclusive content we publish.


Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version