The Cybersecurity and Infrastructure Security Agency (CISA) has shared details of a security incident at an unnamed US federal agency in which that hackers breached the organization’s network by exploiting a critical vulnerability in an unpatched GeoServer instance.
The exploited flaw (CVE-2024-36401) is a remote code execution vulnerability that was patched on June 18, 2024. Within a month, CISA added the bug to its catalog of known exploited vulnerabilities, following the public release of multiple proof-of-concept exploits by security researchers.
Threat monitoring group Shadowserver observed active attacks targeting the flaw beginning July 9, 2024. Around that time, over 16,000 were observed being exposed to the internet.
According to CISA, the attackers accessed two federal GeoServer servers within a month after the vulnerability was publicly disclosed.
“To gain initial access to GeoServer 1 and GeoServer 2, the cyber threat actors exploited CVE 2024-36401. They leveraged this vulnerability to gain RCE by performing “eval injection,” a type of code injection that allows an untrusted user’s input to be evaluated as code. The cyber threat actors likely attempted to load a JavaScript extension to gain webserver information as an Apache wicket on GeoServer 1. However, their efforts were likely unsuccessful, as CISA observed attempts to access the .js file returning 404 responses in the web logs, indicating that the server could not find the requested URL,” the advisory explains.
The intruders moved laterally across the agency's network, targeting and infiltrating a web server and an SQL server.
On each compromised system, the attackers deployed web shells, including China Chopper, and various scripts to establish remote access, maintain persistence, execute commands, and escalate privileges. Brute force techniques were reportedly used to obtain passwords and access service accounts tied to specific applications.
The attackers remained undetected for approximately three weeks. The breach was eventually uncovered on July 31, 2024, when the agency’s Endpoint Detection and Response (EDR) platform flagged suspicious activity on the SQL server. Further alerts led the agency's Security Operations Center to isolate the affected system and initiate an investigation.