Two campaigns are currently targeting Selenium Grid’s default lack of authentication, exploiting this vulnerability to deploy malicious payloads such as exploit kits, cryptominers, and proxyjackers. The threat actors are taking advantage of Selenium Grid’s widespread use among developers and its default lack of security, making it an attractive target for attackers looking to compromise systems and gain unauthorized access.
These campaigns are utilizing Selenium Grid’s capability to execute code on remote machines to distribute and execute malicious software, posing a significant threat to organizations that rely on this tool for testing and automation purposes. The misconfigured Selenium Grid instances have allowed attackers to exploit the lack of authentication in multiple ways.
In a specific attack, the threat actors injected a base64-encoded Python script into the “goog:chromeOptions” configuration, which was executed due to the specified Python3 binary in the WebDriver configuration. After disabling shell command history logging, the script proceeded to download a reverse shell script from a remote server. This downloaded script, known as GSocket, established an encrypted TCP connection between the compromised system and a remote server, enabling the attackers to execute commands on the infected machine.
Furthermore, a malicious script named “pl” retrieved from a command and control server performs various system checks and retrieves additional payloads based on the architecture of the system. It then stops specific Docker containers and sets the installation path. According to Cado Security Labs, the script retrieves IPRoyal Pawn and EarnFM payloads, likely used for selling the user’s internet bandwidth as a proxy service and for other malicious purposes. Additionally, “pl” contains a base64-encoded script “tm” that checks for root privileges and system information, installs Docker if missing, and configures Docker images for “traffmonetizer” and “WatchTower.”
The threat actor involved in these attacks utilized a multi-stage attack strategy, beginning with a base64-encoded Python script injected into Chrome, which decoded into a Bash script. The script prepared the system by creating directories, manipulating environment variables, and checking for existing processes. Subsequently, an ELF binary packed with UPX was downloaded and its header removed to evade detection. The unpacked binary, written in Golang, attempted to exploit CVE-2021-4043 to gain root privileges. It established connections to Tor nodes for C2 communication, dropped cryptomining binaries, set up cron jobs for persistence, and created temporary directories containing files related to the cryptomining process.
Moreover, the SHC-compiled ELF binary, “Top,” is a Bash script that uses environment variables to determine its behavior. It exits if “ABWTRX” is set and modifies the PATH, sets up cleanup traps, terminates “perfctl” processes, and removes temporary files if “AAZHDE” is not set. The script then executes the “top” command to display system processes, and it was used in a recent campaign targeting misconfigured Selenium Grid instances.
This series of attacks underscores the critical importance of implementing proper authentication and configuration for Selenium Grid to prevent unauthorized access and thwart malicious activities. Organizations utilizing Selenium Grid for testing and automation purposes should ensure that security measures are in place to protect against potential threats and vulnerabilities.