Hackers Exploiting GeoServer RCE Vulnerability to Deploy Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

GeoServer is an open-source server for sharing geospatial data, and this open-source software server is written in Java. 

It publishes data from any major spatial data source using open standards. GeoServer is designed for teamwork and allows users to share, process, and edit geospatial data.

Cybersecurity researchers at Fortinet recently discovered that hackers have been exploiting GeoServer RCE vulnerability to deploy malware, and the vulnerability is tracked as “CVE-2024-36401.”

CVE-2024-36401 is a critical flaw that has a CVSS score of 9.8. Due to the poor design of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards, the flaw facilitates the unauthenticated external command execution exploit through structured attack input.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

GeoServer RCE Vulnerability

Different threat actors took advantage of this vulnerability to propagate malware in different countries and regions.

Some of the notable malware are GOREVERSE, a reverse proxy tool, and SideWalk, a Linux backdoor developed by APT41. Besides this, the malware used ChaCha20 and XOR encryption for traffic hiding and C2 communications.

While threat actors employed the Fast Reverse Proxy (FRP) tool to mask malicious data with legitimate traffic making it less prone to detection.

As a consequence of the attacks, a number of different cryptocurrency miners were installed, including XMRig, which was designed to work with the following CPU architectures that are targeted:-

  • ARM
  • MIPS
  • X86

The Fortinet report states that these miners connected to pools like SupportXMR and used scripts to uninstall cloud monitor agent applications and other means to deactivate security features.

Different attackers used more than one method of infection like DNS queries, HTTP file servers, cron jobs these things bring out the complexity and multi-dimensional nature of the act for breaching and monetizing in vulnerable systems.

To counter this critical vulnerability, the original XPath expression evaluator was replaced by the “JXPathUtils.newSafeContext” function, which is considered safe.

For additional protection, organizations should take extra precautions like ensuring that the software is always updated and patched, ensuring that there are surveillance tools in place for threats, and also making sure that access is very limited.

However, all these steps are crucial in mitigating risks associated with potential exploits. 

In effect, such concerns can be resolved by users before the GeoServer environments are deployed for use, consequently shielding the geospatial data infrastructure from compromise and threats as well as the functionality of that infrastructure as an open source one.

Download Free Incident Response Plan Template for Your Security Team – Free Download