Cybercriminals Target Selenium Grid Servers for Proxyjacking and Cryptomining

September 12, 2024

Cybercriminals are infecting exposed Selenium Grid servers with the aim of exploiting the victims' Internet bandwidth for cryptomining, proxyjacking, and potentially other malicious activities. Selenium is an open-source suite of browser automation tools that is found in 30% of cloud environments. Selenium Grid, its tool for automated testing of web applications across multiple platforms and browsers, is used by millions of developers and thousands of organizations worldwide. Despite being an internal tool, tens of thousands of Selenium Grid servers are exposed on the Internet, making them a target for hackers.

Cado Security recently set up a honeypot to assess the threats these exposed servers face. According to Al Carchrie, R&D lead solutions engineer for Cado Security, they began to see activity within 24 hours of deploying the honeypot. During the research period, two primary threats consistently attempted to attack the honeypot. The first deployed a series of scripts, including one labeled 'y', which dropped the open-source networking toolkit GSocket. This toolkit, designed to establish a secure TCP connection between two users behind firewalls, was used by the threat actors for command-and-control (C2). The subsequent scripts, 'pl' and 'tm', performed various reconnaissance functions and dropped the campaign's main payloads: Pawns.app (IPRoyal Pawn) and EarnFM. These programs, known as proxyware, allow users to rent out their unused internet bandwidth. However, hackers can weaponize these services for their own purposes.

The process, known as 'proxyjacking', involves hijacking an unsuspecting Internet user's IP to use as a personal proxy server for further malicious activities or selling it to another cybercriminal. 'It allows people to hide behind legitimate IP addresses, and the reason for doing that is to try and bypass IP filtering that organizations would put in place,' Carchrie explains.

The second attack detected by the honeypot was similar in its initial means of infection but dropped a Golang-based executable and linkable format (ELF) binary. The ELF attempted to use 'PwnKit', a public exploit for CVE-2021-4043, a medium severity Linux privilege escalation bug. The malware then connected to an attacker's C2 infrastructure and dropped 'perfcc', a cryptominer. This mirrors a yearlong campaign revealed by Wiz in July, which used Selenium Grid as a vector to deploy the XMRig miner.

Selenium Grid, being an internal tool, lacks any authentication to prevent attackers from breaking in. Its maintainers have warned that it 'must be protected from external access using appropriate firewall permissions.' However, in July, Wiz found around 15,000 updated but Internet-exposed Selenium Grid servers. More than 17,000 were both exposed to the Internet and running outdated versions. The vast majority of these were based in the US and Canada. It was only a matter of time before threat actors capitalized on this opportunity.

'Selenium is built to be an internal service for testing,' emphasizes Ami Luttwak, CTO and co-founder of Wiz. 'In most scenarios, it's not supposed to be publicly accessible. If it is, then there is a risk there you have to mitigate.' Carchrie advises, 'If you need your Selenium Grid accessible via the Internet, we recommend that you deploy an appropriately configured authentication proxy server in front of the Selenium Grid application using multifactor authentication as well as username and passwords.'

Latest News

• Urgent Update Required: Adobe Patches Acrobat Reader Zero-Day Vulnerability
• Taiwanese Drone Makers Targeted by 'WordDrone' Attack Exploiting Old MS Word Flaw
• Ivanti Addresses Critical RCE Vulnerability in Endpoint Management Software
• Microsoft Rectifies Zero-Day Flaw in Windows Smart App Control Exploited Since 2018
• Microsoft's September 2024 Patch Tuesday Addresses 79 Security Flaws Including 4 Zero-days