Threat actors have been targeting Internet-exposed Selenium Grid servers with the aim of exploiting victims’ Internet bandwidth for malicious activities such as cryptomining, proxyjacking, and potentially more severe attacks. Selenium, an open source suite of tools for browser automation, is widely used in cloud environments, with Selenium Grid being the tool for testing web applications across multiple platforms and browsers simultaneously, utilized by numerous developers and organizations globally. Despite being an internal tool, tens of thousands of Selenium Grid servers are currently exposed online, making them vulnerable to automated malware campaigns launched by hackers.
Cado Security recently set up a honeypot to investigate the threats faced by these unsecured servers. Within 24 hours, they observed two primary threats attempting to compromise the server continuously. The first threat deployed scripts like “y” to drop GSocket, a networking toolkit used for command-and-control purposes, followed by scripts “pl” and “tm” carrying out reconnaissance activities and deploying proxyware like Pawns.app and EarnFM to utilize victims’ internet bandwidth for malicious intents.
Proxyjacking, as seen in these attacks, involves hijacking an unsuspecting user’s IP address for malicious activities or selling it to other cybercriminals to bypass security measures like IP filtering. This tactic allows hackers to hide behind legitimate IP addresses, posing a significant challenge for organizations trying to protect their infrastructure from unauthorized access.
The second attack involved dropping an ELF binary utilizing a public exploit for a Linux privilege escalation bug. This malware then connected to a command-and-control server and deployed a cryptominer called “perfcc,” mirroring a previous campaign reported by Wiz where Selenium Grid was used to deploy the XMRig miner. According to experts, these attacks could potentially lead to more severe consequences, such as unauthorized access to sensitive environments within organizations.
The lack of authentication on Selenium Grid servers makes them an easy target for threat actors, as highlighted by a Reddit post detailing a server compromise. With over 30,000 publicly exposed servers, it is crucial for organizations to secure their Selenium Grid instances by implementing appropriate firewall permissions and deploying authentication proxies with multifactor authentication to mitigate potential risks.
In conclusion, the rise in attacks targeting Internet-exposed Selenium Grid servers underscores the importance of maintaining robust cybersecurity measures to safeguard against malicious activities. Organizations must take proactive steps to secure their infrastructure and prevent unauthorized access to sensitive environments to prevent potential cyber threats and data breaches.