Critical GeoServer Vulnerability Exploited in Global Malware Campaign


A critical GeoServer vulnerability (CVE-2024-36401) is being actively exploited, allowing attackers to take control of systems for malware deployment, cryptojacking, and botnet attacks. Update GeoServer to the latest version to stay protected.

FortiGuard Labs Threat Research team has discovered that attackers are actively exploiting a recently discovered vulnerability (CVE-2024-36401, CVSS score: 9.8) in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. This critical flaw allows attackers to remotely take control of vulnerable systems, potentially leading to a range of malicious activities.

GeoServer is an open-source software server built in Java that enables users to share and manage geospatial data. This OSGeo GeoServer GeoTools vulnerability was identified on July 1, 2024. Reportedly, attackers gain initial access by crafting specially formatted requests to exploit the flaw in GeoServer‘s request parameters. This allows them to execute arbitrary code on the vulnerable system. Once in, they execute a series of steps to establish persistence, deploy malware, and carry out their malicious activities. 

The attackers retrieve malicious scripts from remote servers, which often contain instructions for downloading and executing other malware, such as GOREVERSE, SideWalk, JenX, Condi Botnet, and cryptocurrency miners like XMRig depending on the attackers’ objectives. The script download URL’s telemetry analysis reveals a concentrated pattern of infections, primarily targeting South America, Europe, and Asia, indicating a sophisticated attack campaign.

GOREVERSE establishes a reverse proxy server, SideWalk is a Linux backdoor often linked to the APT41 hacking group, JenX is a variant of Mirai botnet, Condi Botnet is another DDoS botnet, and Cryptocurrency Miners hijack computing resources for attackers’ benefit.

Some malware, like SideWalk, create backdoors on the compromised system and steal sensitive data. These backdoors allow attackers to maintain persistent access, even after the initial breach is resolved. Other malware, such as taskhost.exe, may create services or scheduled tasks to ensure automatic execution upon system startup.

Botnets like JenX and Condi can be used to launch DDoS attacks against targeted systems or networks. Furthermore, coin miners utilize the compromised system’s resources to mine cryptocurrency for the attackers’ profit while the Mirai botnet can scan networks for vulnerable devices and attempt to infect them, spreading the attack scope.

Additionally, attackers can achieve RCE (remote code execution) by using tools like GOREVERSE to execute commands on the compromised system, allowing them to further compromise and control it.

According to FortiGuard Labs’ blog post shared with Hackread.com ahead of publishing on Thursday, the attack campaign appears to be targeting a broad range of organizations across different regions, including:

  • IT service providers in India
  • Government entities in Belgium
  • Technology companies in the US
  • Telecommunications companies in Thailand and Brazil.
Screenshot of malicious site mimicking ICA India (Screenshot: FortiGuard Labs)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue on July 15. Shortly after, FortiGuard Labs observed multiple campaigns targeting this vulnerability to spread malware. Fortunately, it has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. 

Organizations using GeoServer can mitigate these risks by updating to the latest version, implementing threat detection tools and intelligence to identify and block malicious activity, and enforcing strong access controls to restrict unauthorized access to sensitive data and systems.

  1. Fake OnlyFans Checker Tool Infects Hackers with Malware
  2. Malware Campaign Exploits NPM to Attack Roblox Developers
  3. Fake GlobalProtect VPN Downloads Spread WikiLoader Malware
  4. WinRAR vulnerability allowed attackers to remotely hijack systems
  5. Hackers are using 19-year-old WinRAR bug to install nasty malware





Source link