Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,334
- Points
- 113
Consequences of an attack on Selenium Grid leads to various consequences-from resource loss to data leakage.
Wiz report that attackers are exploiting an incorrect configuration in Selenium Grid to implement a modified version of XMRig for Monero mining.
Selenium Grid, which has more than 100 million downloads on Docker Hub, allows developers to automate testing of applications on multiple machines and browsers, and is also widely used in cloud environments. Selenium Grid distributes tests from a central hub to different nodes through API interaction. Nodes can run on different operating systems, browsers, and environments, which provides comprehensive test results.
Selenium Grid Architecture
The attack, called SeleniumGreed, exploits the lack of an authentication mechanism in the standard Selenium Grid configuration, which allows you to access testing instances, upload files, and execute commands.
Attackers use the Selenium WebDriver API to change the default path for Chrome on the target instance, redirecting the request to the Python interpreter. Cybercriminals then use the 'add_argument' method to pass the encoded Python script as an argument. When WebDriver starts Chrome, it actually executes the Python interpreter with the provided script.
The script creates a Reverse Shell, providing almost complete remote access to the instance. The attackers then use the Selenium user ('seluser'), which can execute sudo commands without a password, to load XMRig and run it in the background.
To evade detection, attackers often use compromised Selenium nodes as intermediate C2 servers for subsequent attacks, as well as as proxy servers for mining pools. The main target of attacks is older versions of Selenium (v3. 141. 59), but Wiz confirms that abuse is possible on newer versions (without proper authentication and network security policies).
The nature of the attack shows that hackers ' strategy is aimed at evading detection by attacking instances that are less well maintained and controlled, rather than exploiting a vulnerability that exists only in older versions.
A FOFA search revealed at least 30,000 instances of Selenium available online. Although the main consequence of cryptomining is increased resource consumption, campaign operators can use their access to distribute malware if the target proves to be sufficiently valuable.
Selenium warns about the risks associated with public access to instances and recommends using a firewall to prevent unauthorized access. However, this warning is not sufficient to prevent incorrect configurations on a larger scale. To protect Selenium Grid from unauthorized external access, we recommend following the official guidelines for configuring basic authentication.
Source
Wiz report that attackers are exploiting an incorrect configuration in Selenium Grid to implement a modified version of XMRig for Monero mining.
Selenium Grid, which has more than 100 million downloads on Docker Hub, allows developers to automate testing of applications on multiple machines and browsers, and is also widely used in cloud environments. Selenium Grid distributes tests from a central hub to different nodes through API interaction. Nodes can run on different operating systems, browsers, and environments, which provides comprehensive test results.
Selenium Grid Architecture
The attack, called SeleniumGreed, exploits the lack of an authentication mechanism in the standard Selenium Grid configuration, which allows you to access testing instances, upload files, and execute commands.
Attackers use the Selenium WebDriver API to change the default path for Chrome on the target instance, redirecting the request to the Python interpreter. Cybercriminals then use the 'add_argument' method to pass the encoded Python script as an argument. When WebDriver starts Chrome, it actually executes the Python interpreter with the provided script.
The script creates a Reverse Shell, providing almost complete remote access to the instance. The attackers then use the Selenium user ('seluser'), which can execute sudo commands without a password, to load XMRig and run it in the background.
To evade detection, attackers often use compromised Selenium nodes as intermediate C2 servers for subsequent attacks, as well as as proxy servers for mining pools. The main target of attacks is older versions of Selenium (v3. 141. 59), but Wiz confirms that abuse is possible on newer versions (without proper authentication and network security policies).
The nature of the attack shows that hackers ' strategy is aimed at evading detection by attacking instances that are less well maintained and controlled, rather than exploiting a vulnerability that exists only in older versions.
A FOFA search revealed at least 30,000 instances of Selenium available online. Although the main consequence of cryptomining is increased resource consumption, campaign operators can use their access to distribute malware if the target proves to be sufficiently valuable.
Selenium warns about the risks associated with public access to instances and recommends using a firewall to prevent unauthorized access. However, this warning is not sufficient to prevent incorrect configurations on a larger scale. To protect Selenium Grid from unauthorized external access, we recommend following the official guidelines for configuring basic authentication.
Source
