Threat actors are exploiting Selenium Grid’s default lack of authentication in two active campaigns, deploying exploit kits, cryptominers, and proxyjackers.
All about Selenium Grid Tool
Selenium Grid’s widespread adoption among developers, combined with its default lack of authentication, makes it an appealing target for attackers. These campaigns exploit the tool’s ability to run code on remote systems, allowing attackers to distribute and execute malicious payloads, such as exploit kits, cryptominers, and proxyjackers. This poses a significant threat to organizations using Selenium Grid for testing and automation, as it can lead to unauthorized system access and malware infections.
Attackers exploited an unsecured Selenium Grid instance lacking authentication. They injected a base64-encoded Python script into the “goog” configuration, executed via the Python3 binary in the WebDriver setup.
The script disabled shell command history logging and downloaded a reverse shell (GSocket) from a remote server, which created an encrypted TCP connection, allowing remote command execution on the compromised system.
A malicious script, “pl,” retrieved from a command and control server, performs system checks, stops specific Docker containers, and sets the installation path.
It then downloads IPRoyal Pawn and EarnFM payloads, used for selling the user’s internet bandwidth as a proxy service and other malicious activities. Additionally, “pl” includes a base64-encoded script “tm,” which checks for root privileges, installs Docker if needed, and configures Docker images for “traffmonetizer” and “WatchTower.”
The attacker used a multi-stage approach, starting with a base64-encoded Python script injected into Chrome that decoded into a Bash script. This prepared the system, downloaded an ELF binary packed with UPX, and attempted to exploit CVE-2021-4043 for root access.
The binary connected to Tor nodes for C2 communication, deployed cryptomining binaries, set up cron jobs for persistence, and created temporary directories for mining files.
The SHC-compiled ELF binary “Top” is a Bash script that checks environment variables to determine its actions. It exits if “ABWTRX” is set, or modifies the PATH and cleans up processes and files if “AAZHDE” is not. It then runs the “top” command to display system processes. This script was used to exploit misconfigured Selenium Grid instances, underscoring the need for proper authentication and configuration to prevent attacks.
Leave A Comment