July 29, 2024 at 02:09AM
Threat actors exploit a misconfiguration in Selenium Grid to deploy XMRig for mining Monero. With over 100 million pulls on Docker Hub, the open-source framework allows testing across various environments. Wiz researchers discovered a year-long “SeleniumGreed” attack due to Selenium Grid’s lack of default authentication. Attackers gain remote access via the WebDriver API, posing significant security risks.
From the meeting notes, it is evident that there are serious security vulnerabilities in Selenium Grid, a widely used web app testing framework. Threat actors are exploiting a misconfiguration in Selenium Grid to deploy a modified XMRig tool for mining Monero cryptocurrency.
The malicious activity, referred to as “SeleniumGreed,” has been running for more than a year and takes advantage of Selenium Grid’s lack of authentication in the default configuration. This allows unauthorized access to app-testing instances, leading to the execution of malicious commands.
The attackers are using the Selenium WebDriver API to change the default binary path of Chrome in the targeted instance and subsequently establish a reverse shell, giving them almost remote access to the instance. They also exploit the Selenium user (‘seluser’) with sudo command execution without a password to drop a custom XMRig miner on the breached instance.
It’s important to note that this exploit is not limited to older versions of Selenium, as Wiz confirms that the abuse is possible on versions more recent than 4. The attackers are targeting less maintained and monitored instances rather than exploiting a flaw that exists only on older versions.
Wiz’s network scans on the FOFA search engine for exposed network assets show at least 30,000 Selenium instances currently reachable over the public web, indicating the widespread exposure to this vulnerability.
Given the severity of this vulnerability, it is crucial to enable basic authentication and protect Selenium Grids from unauthorized external access by following the service’s official guidelines provided in the meeting notes. Additionally, organizations using Selenium Grid should take proactive measures to secure their instances and prevent unauthorized access to mitigate the risk of exploitation by threat actors.