September 12, 2024 at 09:36AM
Bad actors target Internet-exposed Selenium Grid instances for illicit cryptocurrency mining and proxyjacking. The lack of authentication makes these instances vulnerable. Threat actors exploit this to carry out malicious actions, including deploying crypto miners and proxyware solutions EarnFM and IPRoyal Pawn. Organizations are urged to configure authentication to prevent abuse.
From the meeting notes:
– Internet-exposed Selenium Grid instances are targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.
– Selenium Grid’s default configuration lacks authentication, making it vulnerable to exploitation by threat actors.
– Two different campaigns observed are leveraging Selenium Grid instances’ lack of authentication protections to carry out malicious actions, introducing next-stage payloads, such as proxyware solutions and cryptocurrency miners.
– As many organizations rely on Selenium Grid for web browser testing, misconfigured instances can be abused by threat actors.
Overall, the meeting notes highlight the importance of ensuring authentication is configured for Selenium Grid instances, to mitigate the risk of exploitation by threat actors for illicit activities such as cryptocurrency mining and proxyjacking campaigns.