From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking
Essential information
- Published
- 17/09/2024 11:14
- Modified
- 17/09/2024 11:28
- Tags
- 2024-09-17 cryptomining gsocket iproyal pawns perfcc proxyjacking selenium grid tor traffmonetizer vulnerability exploitation
- Related entities
- 1 vulnerabilities (cve), 18 observables, 11 techniques (mitre), 2 malware
Description
Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shell, followed by scripts that install IPRoyal Pawns for proxyjacking and TraffMonetizer for traffic monetization. The second campaign similarly injects a script that downloads and executes an ELF binary. This binary attempts privilege escalation, connects to Tor nodes for C2, and drops the 'perfcc' cryptominer. Both campaigns highlight the risks of misconfigured Selenium Grid instances and the need for proper authentication.