Separate proxyjacking and cryptomining attacks have been targeted at internet-accessible instances of the Selenium Grid web app testing framework as threat actors exploit the servers' lack of authentication by default, according to The Hacker News.
Threat actors part of the proxyjacking campaign exploited Selenium Grid servers' "goog:chromeOptions" configuration to facilitate deployment of a base64-encoded Python script, which enabled the retrieval of an open-source GSocket reverse shell and the eventual deployment of the IPRoyal Pawns residential proxy service and EarnFM proxyware tool, reported Cado Security researchers. On the other hand, the cryptomining operation involved a bash script verifying targets as 64-bit machines before the distribution of a Golang-based ELF file that delivers the perfcc XMRig cryptominer after exploiting the PwnKit vulnerability, tracked as CVE-2021-4043. "As many organizations rely on Selenium Grid for web browser testing, this campaign further highlights how misconfigured instances can be abused by threat actors. Users should ensure authentication is configured, as it is not enabled by default," said researchers.
