Threat actors are exploiting a misconfiguration in Selenium Grid, a popular web app testing framework, to deploy a modified XMRig tool for mining Monero cryptocurrency.

Selenium Grid is open-source and enables developers to automate testing across multiple machines and browsers. It is used in cloud environments and it has more than 100 million pulls on Docker Hub.

The tests are distributed from a central hub to the service’s nodes via API interaction, where they are executed. The nodes feature different operating systems, browsers, and other environment changes to provide comprehensive result.

Overview of Selenium testing
Overview of Selenium testing
Source: Wiz

Researchers at Wiz cloud security startup discovered that the malicious activity that they are tracking it as “SeleniumGreed” has been running for more than a year and takes advantage of the service’s lack of authentication in the default configuration.

SeleniumGreed attacks

According to Wiz research, Selenium Grid does not have an authentication mechanism active by default. In the case of a publicly exposed service, anyone can access app-testing instances, download files, and execute commands.

Selenium warns of the risks of internet-exposed instances in its documentation, advising those needing remote access to prevent unauthorized access by setting up a firewall. However, this warning isn’t enough to prevent misconfigurations at a larger scale.

Selenium's warning on the official documentation
Selenium’s warning on the official documentation
Source: selenium.dev

Wiz says that threat actors are leveraging the Selenium WebDriver API to change the default binary path of Chrome in the targeted instance, making it point to the Python interpreter.

They then use the ‘add_argument’ method to pass a base64-encoded Python script as an argument. When the WebDriver initiates a request to launch Chrome, it executes the Python interpreter with the provided script instead.

Exploit script used in the attacks
Exploit script used in the attacks
Source: Wiz

The Python script establishes a reverse shell, giving the attackers almost remote access to the instance.

Next, the attackers rely on the Selenium user (‘seluser’), which can execute sudo commands without a password, to drop a custom XMRig miner on the breached instance and set it to run in the background.

To evade detection, the attackers often used compromised Selenium node workloads as intermediate command and control servers (C2) for subsequent infections and also as mining pool proxies.

The attackers target older versions of Selenium (v3.141.59), but Wiz confirms that the abuse is possible on versions more recent than 4.

This means the attackers’ strategy is likely to evade detection by targeting instances that are less maintained and monitored instances rather than exploiting a flaw that exists only on older versions.

“Any version of the Selenium Grid service that lacks proper authentication and network security policies is vulnerable to remote command execution,” Wiz says in the report.

“Based on our data, the threat described in this blog is targeting Selenium v3.141.59, but it may evolve to exploit later versions as well, and other threat actors may already be doing so,” the researchers note.

Wiz’s network scans on the FOFA search engine for exposed network assets show at least 30,000 Selenium instances currently reachable over the public web.

Although the effects of the cryptomining activity are increased resource usage, the operators of the campaign could use their access to deploy malware if the targets are valuable enough.

For help on how to enable basic authentication and protect Selenium Grids from unauthorized external access, follow the service’s official guidelines here.