Security
Headlines
HeadlinesLatestCVEs

Headline

Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns. “Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions,” Cado Security researchers Tara Gould and Nate Bill said in an analysis published today. "However, Selenium Grid’s default configuration lacks

The Hacker News
#web#mac#auth#chrome#The Hacker News

Cryptocurrency / Network Security

Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns.

“Selenium Grid is a server that facilitates running test cases in parallel across different browsers and versions,” Cado Security researchers Tara Gould and Nate Bill said in an analysis published today.

“However, Selenium Grid’s default configuration lacks authentication, making it vulnerable to exploitation by threat actors.”

The abuse of publicly-accessible Selenium Grid instances for deploying crypto miners was previously highlighted by cloud security firm Wiz in late July 2024 as part of an activity cluster dubbed SeleniumGreed.

Cado, which observed two different campaigns against its honeypot server, said the threat actors are exploiting the lack of authentication protections to carry out malicious actions.

The first of them leverage the “goog:chromeOptions” dictionary to inject a Base64-encoded Python script that, in turn, retrieves a script named “y,” which is the open-source GSocket reverse shell.

The reverse shell subsequently serves as a medium for introducing the next-stage payload, a bash script named “pl” that retrieves IPRoyal Pawn and EarnFM from a remote server via curl and wget commands.

“IPRoyal Pawns is a residential proxy service that allows users to sell their internet bandwidth in exchange for money,” Cado said.

“The user’s internet connection is shared with the IPRoyal network with the service using the bandwidth as a residential proxy, making it available for various purposes, including for malicious purposes.”

EarnFM is also a proxyware solution that’s advertised as a “ground-breaking” way to “generate passive income online by simply sharing your internet connection.”

The second attack, like the proxyjacking campaign, follows the same route to deliver a bash script via a Python script that checks if it’s running on a 64-bit machine and then proceeds to drop a Golang-based ELF binary.

The ELF file subsequently attempts to escalate to root by leveraging the PwnKit flaw (CVE-2021-4043) and drops an XMRig cryptocurrency miner called perfcc.

“As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors,” the researchers said. “Users should ensure authentication is configured, as it is not enabled by default.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Stealthy Malware Has Infected Thousands of Linux Systems for Years

Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.

New Linux Malware ‘Perfctl’ Targets Millions by Mimicking System Files

New Linux malware ‘Perfctl’ is targeting millions worldwide, mimicking system files to evade detection. This sophisticated malware compromises…

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software. "Perfctl is particularly elusive and persistent, employing several sophisticated techniques," Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News. "When a new user logs

Near-'perfctl' Fileless Malware Targets Millions of Linux Servers

Armed with a staggering arsenal of at least 20,000 different exploits for various Linux server misconfigurations, perfctl is everywhere, annoying, and tough to get rid of.

Hackers Proxyjack & Cryptomine Selenium Grid Servers

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

The Hacker News: Latest News

Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign