- The attackers exploded a critical Geoserver defect to violate a Federal Agency of the United States in July 2024
- China Chopper Web Shell enabled remote access and lateral movement in compromised systems
- CISA urges timely patches, proven response plans and continuous alert monitoring
In mid -July 2024, a threat actor managed to enter a Federal Civil Executive Branch Agency (FCEB) of the United States by exploiting a critical vulnerability of remote code execution (RCE) in Geoserver, the government confirmed.
In an in-depth report detailing the incident, the United States Cybersecurity and Infrastructure Security Agency (CISA) described how the attackers took advantage of CVE-2024-36401, a vulnerability of 9.8/10 that granted RCE capabilities through specially made contributions against a predetermined installation of Geoserver.
Geoserver is an open source server platform that allows users to share, edit and publish geospatial data using open standards.
Lessons learned
The vulnerability was disclosed on June 30 and was added to the CISA known vulnerabilities catalog (KEV) of CISA for July 15, but at that time, it was already too late since the criminals established persistence in the final points committed.
However, the damage could have been reduced with timely patches, since a second case of Geoserver was violated on July 24.
Once inside, the attackers made a broad recognition using tools such as Burp Suite, Fscan and Linux-Exploit-Hugester2.PL.
They moved laterally through the network, compromising a web server and an SQL server, and implementing Web Shells in each system.
Among them was China Chopper, a light Web Shell used for remote access and control over compromised servers. Once installed, it allows the attackers to execute commands, load files and pivot inside the networks.
CISA did not attribute this attack on any known threat actor, but from previously reported incidents it is known that the Advanced Persistent Threat Groups (APT) are widely used, particularly those linked to operations sponsored by the Chinese State as APT41.
The objective of the CISA report was to share the lessons learned from the incident, and apparently those lessons are: patch their systems in time, be sure to have an incident response plan (test/exercise!), And continually check alert.
Through Bleepingcomputer
