Hackers Proxyjack & Cryptomine Selenium Grid Servers

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

Threat actors are infecting Internet-exposed Selenium Grid servers, with the goal of using victims Internet bandwidth for cryptomining, proxyjacking, and potentially much worse.
Selenium is an open source suite of tools for browser automation that, according to data from Wiz, can be found in 30% of cloud environments. Selenium Grid is its open source tool for automatically testing Web applications across multiple platforms and browsers in parallel, used by millions of developers and thousands of organizations worldwide. Its Selenium/hub docker image has more than 100 million pulls on Docker Hub.
Though its an internal tool by nature, tens of thousands of Selenium Grid servers are exposed on the Internet today. In turn, at least some hackers have deployed automated malware intended to hijack these servers for various malicious purposes.
To gauge the kinds of threats that face these untended servers, Cado Security
recently launched a honeypot
. As Al Carchrie, R&D lead solutions engineer for Cado Security, remembers, We deployed the honeypot on a Tuesday, and then we started to see activity within 24 hours.
During the research period, two primary threats kept automatically trying to attack the honeypot day after day.
The first deployed a series of scripts, including one labeled y, which dropped the open source networking toolkit GSocket. GSocket is designed to allow two users behind firewalls to establish a secure TCP connection. In this and other cases, though, threat actors used it as a means of command-and-control (C2).
Two scripts followed, pl and tm, which performed various reconnaissance functions — analyzing system architecture, checking for root privileges, and other functions — and dropped the campaigns primary payloads: Pawns.app (IPRoyal Pawn) and EarnFM. Each of these are proxyware — programs that allow users to essentially rent out their unused internet bandwidth.
Though services like these are sold legitimately, hackers can easily weaponize them for their own purposes. Called
proxyjacking
, it involves hijacking an unwitting Internet users IP to use as ones own personal proxy server for further malicious activities or selling it to another cybercriminal.
It allows people to hide behind legitimate IP addresses, and the reason for doing that is to try and bypass IP filtering that organizations would put in place, Carchrie explains. So if youre using Tor to try and anonymize yourselves, organizations might blacklist Tor IP addresses from accessing their infrastructure. This gives them an opportunity. This is the first time Ive personally come across proxyjacking being used as the end goal of a campaign.
The second attack snagged by the honeypot was similar in its initial means of infection, but dropped a Golang-based executable and linkable format (ELF) binary. The ELF, in turn, attempted to use PwnKit, a public exploit for CVE-2021-4043, an old, medium severity Linux privilege escalation bug (CVSS score 5.5).
Next, the malware connected to an attackers C2 infrastructure and dropped perfcc, a cryptominer. In this way, it paralleled
a different, yearlong campaign
revealed by Wiz back in July, which used Selenium Grid as a vector to deploy
the XMRig miner
.
As Ami Luttwak, CTO and co-founder of Wiz, explains, the same kind of attack can be used to do a lot worse.
Remember, Selenium runs usually in test environments, he says. Test environments have proprietary code, and many times from test environments you can actually get access back to either engineering environments or production. So this could be used by a more advanced attacker to start actually attacking the exposed organization.
Being an internal tool by nature, Selenium Grid does not have any authentication to barricade attackers from breaking in. Its maintainers have
warned in documentation
that it must be protected from external access using appropriate firewall permissions.
In July, though, Wiz found around 15,000 updated but Internet-exposed Selenium Grid servers. Worse: More than 17,000 were both exposed to the Internet, and running outdated versions. (That number has since
dropped below 16,000
.) The vast majority of these were based in the US and Canada.
It was only a matter of time, then, before threat actors capitalized on the opportunity. The first documented sign of it was reported
in a Reddit post
.
Selenium is built to be an internal service for testing, Luttwak emphasizes. In most scenarios, its not supposed to be publicly accessible. If it is, then there is a risk there you have to mitigate.
Carchrie advises, If you need your Selenium Grid accessible via the Internet, we recommend that you deploy an appropriately configured authentication proxy server in front of the Selenium Grid application using multifactor authentication as well as username and passwords.
Dont miss the latest
Dark Reading Confidential podcast
,
where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs.
Listen now!

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Hackers Proxyjack & Cryptomine Selenium Grid Servers