Hackers Exploit GeoServer RCE Flaw to Deploy Cryptocurrency Miners

Hackers Exploit GeoServer RCE Flaw to Deploy Cryptocurrency Miners

The AhnLab Security Intelligence Center (ASEC) has confirmed that unpatched GeoServer instances are still facing relentless attacks by threat actors exploiting a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2024-36401.

GeoServer, an open-source Geographic Information System (GIS) server developed in Java for spatial data processing, became a prime target after the vulnerability was disclosed earlier in 2024.

This flaw allows unauthorized users to execute arbitrary code on affected systems, opening the door to malware deployment.

Unpatched GeoServer Vulnerability Under Siege

Reports from Fortinet in September 2024 highlighted attack campaigns distributing malicious payloads like GOREVERSE, SideWalk, Mirai, Condi, and CoinMiner through this vulnerability.

Similarly, Trend Micro exposed an operation by the Earth Baxia threat actor targeting a Taiwanese government agency with spear-phishing tactics exploiting the same flaw, underscoring the global reach of these threats.

South Korea has emerged as a focal point for these attacks, with ASEC documenting infections in Windows environments running vulnerable GeoServer versions.

The exploitation of CVE-2024-36401 likely facilitated the execution of PowerShell commands to install NetCat, a versatile networking tool often misused as a reverse shell for remote control of compromised systems.

PowerShell process executed by vulnerability exploitation

Through NetCat, attackers connected to their command-and-control (C&C) servers, enabling persistent access.

Targeted Attacks in South Korea

Following this initial breach, the threat actors deployed XMRig, a notorious cryptocurrency miner used to mine Monero coins by hijacking system resources.

GeoServer RCE Flaw
Bash script to install XMRig

In Windows systems, PowerShell scripts downloaded from malicious URLs initiated the installation, while in Linux environments, Bash scripts were likely used to achieve similar results, including terminating competing miner processes and ensuring persistence via Cron jobs linked to Pastebin-hosted scripts.

The dual-OS targeting strategy demonstrates the attackers’ sophistication, as they tailor their approach based on the victim’s environment, maximizing their impact.

The installation of CoinMiner not only drains system performance but also poses a gateway for further malicious activities, such as data theft or additional malware deployment through the established NetCat backdoor.

According to the Report, ASEC’s findings emphasize the urgent need for organizations to patch their systems, as these attacks continue unabated, exploiting the lag in updates to unpatched GeoServer instances across diverse regions and sectors.

Organizations are strongly advised to update GeoServer to the latest patched version and monitor for suspicious network activity associated with these IOCs to mitigate risks posed by this ongoing threat.

Indicators of Compromise (IOCs)

Below are the key Indicators of Compromise (IOCs) identified by ASEC related to these attacks.

Type Indicator
MD5 0b3744373c32dc6de80dfc081200d9f8
310c17c19e90381114d47914bcb3ccf2
523613a7b9dfa398cbd5ebd2dd0f4f38
5e84c2bcca9486b6416a8b27ed4d845e
615b348974fb3b5aea898a172fadecf4
URL http://182.218.82.14/js/1/config.json
http://182.218.82.14/js/1/gl.txt
http://182.218.82.14/js/1/gw.txt
http://182.218.82.14/js/1/s.rar
http://182.218.82.14/js/1/startup.sh
IP 107.180.100.247

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.


Source link