

DDoS Attack Campaign Targeted Middle Eastern Financial Institute and Lasted for 6 Days
July 29, 2024
Multiple Juniper Networks Junos OS Vulnerabilities
July 29, 2024
DDoS Attack Campaign Targeted Middle Eastern Financial Institute and Lasted for 6 Days
July 29, 2024
Multiple Juniper Networks Junos OS Vulnerabilities
July 29, 2024Severity
High
Analysis Summary
A campaign that uses publicly accessible Selenium Grid services on the internet to mine cryptocurrencies illegally is causing cybersecurity experts to raise alarms.
Researchers are using the moniker SeleniumGreed to monitor the activity. Targeting Selenium 3.141.59 and previous versions, the campaign is thought to have started at least in April 2023. Most users are unaware that the Selenium WebDriver API allows complete machine interaction, including file reading and downloading as well as remote command execution.
This service does not have authentication enabled by default. This implies that a large number of instances that are available to the public are maliciously configured, easily accessible to anybody, and capable of being misused. A component of the Selenium automated testing framework, Selenium Grid allows tests to run in parallel across numerous workloads, browser versions, and browser configurations. Selenium Grid needs to be firewalled with the proper permissions to prevent outsider access. The project maintainers issued a warning, saying that not doing so would enable unauthorized users to access and run internal web apps and files as well as arbitrary binaries.

It's unclear exactly who is in charge of the attack operation at this time. But in this case, the threat actor targets Selenium Grid instances that are visible to the public and uses the WebDriver API to launch Python code that downloads and launches an XMRig miner. To execute a Python program containing a Base64-encoded payload that spawns a reverse shell to an attacker-controlled server to fetch the final payload—a modified version of the open-source XMRig miner—the adversary first sends a request to the vulnerable Selenium Grid hub.
They dynamically construct the pool IP at runtime rather than hardcoding it in the miner configuration. To guarantee that the miner will only communicate with servers under the threat actor's control, they also configured and incorporated XMRig's TLS-fingerprint capability. Given that it has also been discovered to run a publicly accessible Selenium Grid instance, it is believed that the IP address in question is part of a genuine service that has been compromised by the threat actor.
Users must immediately take action to address the misconfiguration since, according to researchers, over 30,000 instances of exposed remote command execution have been found, and it is feasible to execute remote commands on more recent versions of Selenium. Since Selenium Grid is not intended to be used online and by default does not enable authentication, any user with hub network access can use the API to communicate with the nodes. If the service is set up on a system with a public IP and insufficient firewall rules, this presents a serious security concern.
Impact
- Command Execution
- Cryptocurrency Theft
- Information Theft
- Unauthorized Access
Indicators of Compromise
MD5
- 861f7deb8926bb0c6d11f8e81d27b406
- 585fd7777074089aaa3c615169c18170
SHA-256
- 6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab
- fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552
SHA-1
- b64cb7dbf62eb8b9539cc1d7901a487a3fd7de9b
- 47560b0a57913d01614256e9150b6e6f5e758250
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.