Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking

Internet-exposed Selenium Grid instances are being targeted by unscrupulous actors for illegal cryptocurrency mining and proxyjacking efforts.

"Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions," Cado Security researchers Tara Gould and Nate Bill noted in an examination released today.

"However, Selenium Grid's default configuration lacks authentication, making it vulnerable to exploitation by threat actors."

The exploitation of publicly-accessible Selenium Grid instances for running crypto miners was previously identified by cloud security company Wiz in late July 2024 as part of an activity cluster named SeleniumGreed.

Cado, which witnessed two independent attacks against its honeypot server, said the threat actors are leveraging the absence of authentication measures to carry out a wide range of destructive acts.

The first of these exploits the "goog:chromeOptions" dictionary to inject a Base64-encoded Python script that, in turn, fetches a script called "y," which is the open-source GSocket reverse shell.

The reverse shell thereafter acts as a means for introducing the next-stage payload, a bash script called "pl" that obtains IPRoyal Pawn and EarnFM from a remote server using curl and wget instructions.

"IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money," Cado explained.

"The user's internet connection is shared with the IPRoyal network with the service using the bandwidth as a residential proxy, making it available for various purposes, including for malicious purposes."

EarnFM is likewise a proxyware solution that's described as a "ground-breaking" means to "generate passive income online by simply sharing your internet connection."

The second assault, like the proxyjacking effort, takes the same approach to send a bash script via a Python script that checks whether it's operating on a 64-bit computer and then continues to drop a Golang-based ELF binary.

The ELF file later tries to elevate to root by using the PwnKit weakness (CVE-2021-4043) and drops an XMRig bitcoin miner dubbed perfcc.

"As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors," the researchers added. "Users should ensure authentication is configured, as it is not enabled by default."