Hackers Exploit Exposed Selenium Grid Servers for Proxyjacking and Cryptomining

Introduction

Hackers are increasingly targeting exposed Selenium Grid servers, hijacking them for cryptomining and proxyjacking activities. Selenium, an open-source browser automation tool widely used for web application testing, has become a valuable target for cybercriminals. As these servers often lack proper security measures, threat actors are seizing the opportunity to leverage them for their own gain. This blog will explore recent findings from a honeypot experiment that uncovered the extent of these attacks and the potential risks for organizations.

The Rising Threat: Proxyjacking and Cryptomining on Selenium Grid Servers

Selenium Grid, a powerful tool designed for testing web applications across multiple platforms and browsers, is widely used in cloud environments. According to research, it’s present in 30% of these environments, and many of its servers are exposed to the internet, making them prime targets for malicious actors. Cybercriminals are deploying automated malware to compromise these servers, which often remain unprotected due to their internal nature.

A recent honeypot experiment by Cado Security revealed two primary threats targeting these exposed servers: proxyjacking and cryptomining. Proxyjacking involves hijacking a victim’s internet bandwidth, allowing hackers to use it as a proxy for their activities. Cryptomining, on the other hand, uses the victim’s computational resources to mine cryptocurrency, significantly slowing down the compromised systems.

How Hackers Exploit Selenium Servers

The Cado Security honeypot detected two distinct attack types aimed at compromising Selenium Grid servers. The first attack deployed several scripts, including one labeled “y,” which dropped GSocket, a networking toolkit typically used to establish secure TCP connections. In this case, hackers used it to maintain control over compromised servers. The scripts also performed reconnaissance activities, analyzing system architecture and privileges before dropping proxyware like Pawns.app and EarnFM. These programs allow threat actors to hijack the victim’s internet bandwidth for proxyjacking.

Proxyjacking gives hackers the ability to use a legitimate IP address, bypassing security measures like IP filtering that organizations implement to block malicious activity. In this attack, cybercriminals could mask their identity and operate anonymously, making it more difficult to trace their malicious actions.

Cryptomining: The Second Wave of Attacks

The second type of attack uncovered by the honeypot utilized a Golang-based binary that exploited PwnKit, a vulnerability in Linux systems (CVE-2021-4043), to escalate privileges. Once the attackers gained control, they deployed perfcc, a cryptominer that consumes the system’s resources to generate cryptocurrency. This mirrors a year-long cryptomining campaign revealed by Wiz, where hackers used exposed Selenium Grid servers as a vector for deploying the XMRig miner.

While cryptomining is a serious threat, it’s important to understand that these types of attacks could be used for far worse purposes. In test environments, where Selenium Grid is most commonly found, there is often proprietary code that could serve as an entry point to more sensitive systems, including production environments.

The Scale of the Problem: Over 30,000 Exposed Servers

Selenium Grid, designed as an internal tool, typically does not come with built-in authentication. However, research from Wiz in July 2024 revealed that over 15,000 Selenium Grid servers are exposed to the internet, with more than 17,000 running outdated versions. These numbers underscore the scale of the problem and the urgency for organizations to secure their environments.

Without proper protection, threat actors can easily gain access to these servers, exploiting vulnerabilities for proxyjacking, cryptomining, or worse. This represents a significant threat to any organization utilizing Selenium Grid without adequate security measures.

Securing Your Selenium Grid Servers

The risks associated with exposed Selenium Grid servers highlight the need for robust security practices. Organizations should not allow these servers to be publicly accessible without implementing the proper security measures. If external access is required, experts recommend deploying an authentication proxy server with multi-factor authentication (MFA), as well as strong username and password combinations. This helps to protect these critical tools from unauthorized access and malicious exploitation.

In addition, organizations should regularly monitor their digital footprint and conduct online risk evaluations to detect any exposed assets. Leveraging brand protection and compromised data trackingand services can also help mitigate the risks posed by cybercriminals targeting vulnerable infrastructure.

Conclusion

The increasing number of attacks on exposed Selenium Grid servers demonstrates the evolving tactics of cybercriminals, from cryptomining to the rising threat of proxyjacking. With over 30,000 publicly exposed servers, organizations must take immediate action to secure their environments. Proper authentication, regular updates, and constant monitoring are essential to defending against these types of attacks.

In today’s cybersecurity landscape, protecting internal tools like Selenium Grid from external threats is crucial. By understanding these emerging attack vectors and implementing the right defenses, organizations can safeguard their infrastructure and minimize the risk of compromise.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.