Wiz Research has detected an ongoing threat campaign dubbed “SeleniumGreed” that exploits exposed Selenium Grid services to deploy cryptominers. Selenium is a popular open-source suite used for testing web applications, allowing users to write tests that simulate user interactions across different browsers and environments.
Selenium Grid is a component within the Selenium suite. It provides a powerful API that allows users to launch and interact with web browsers on machines linked to it. Unbeknownst to most users, this API enables full interaction with the machine itself, including reading and downloading files, and running remote commands. Selenium Grid is designed for use in internal networks and lacks security controls by default. Ideally, such services should never be exposed to the internet.
Due to the lack of default authentication mechanism on this service, many exposed instances are misconfigured and can be accessed and exploited by malicious actors. This is particularly concerning given that it can easily lead to a critical security risk if the service is deployed on a publicly accessible node without tight network security policies. Surprisingly, as far as we can tell, this is the first report of this misconfiguration being exploited in the wild.
The threat actor has leveraged Selenium WebDriver API's features to run Python with a reverse shell to deploy scripts that download the miner. The miner is a modified XMRig miner packed with custom UPX headers. The threat actor employed various methods to remain untraceable, including using other compromised Selenium nodes' workloads as a C2 for hosting payloads and as a mining pool proxy.