Threat Research

Threat Actors Take Advantage of GeoServer Vulnerability CVE-2024-36401 | FortiGuard Labs

Securonix

Security researchers describe active exploitation of CVE-2024-36401 in GeoServer, driving campaigns that deploy GOREVERSE, SideWalk, Condi, and CoinMiner across organizations worldwide. The campaigns use a ChaCha20-based C2 channel, FRP tunneling, and multi-architecture payloads to gain remote control and stealthy persistence. #GOREVERSE #SideWalk #Condi #CoinMiner #JenX #APT41 #FRP #GeoServer #CVE-2024-36401

Keypoints

  • Vulnerability: CVE-2024-36401 with a CVSS score of 9.8.
  • Affected Platforms: GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2.
  • Active exploitation observed with multiple malware campaigns (GOREVERSE, SideWalk, Condi, CoinMiner).
  • Malware families span Linux backdoors, Windows botnets, and coin miners; notable families include GOREVERSE, SideWalk, Condi, and various CoinMIner variants.
  • Attack chain includes remote code execution, C2 communication, data encryption/obfuscation, and persistence mechanisms (e.g., Windows service).
  • Affected sectors span IT providers, technology firms, government entities, and telecoms in multiple regions; telemetry indicates broad geographic reach.

MITRE

  • [T1203] Remote Code Execution – Exploitation of CVE-2024-36401 to execute arbitrary code on the GeoServer. [ ‘Exploitation of CVE-2024-36401 to execute arbitrary code on the GeoServer.’ ]
  • [T1071] Command and Control – Establishing communication with command and control servers through various malware. [ ‘Establishing communication with command and control servers through various malware.’ ]
  • [T1140] Deobfuscate/Decode Files or Information – The configuration is decrypted using the ChaCha20 algorithm. [ ‘The configuration is decrypted using the ChaCha20 algorithm.’ ]
  • [T1105] Ingress Tool Transfer – Downloads and executes multiple bot binaries for different CPU architectures from a remote server. [ ‘downloads and executes multiple bot binaries for different CPU architectures.’ ]
  • [T1082] System Information Discovery – The victim’s information (computer name, operating system, and system time) is transmitted. [ ‘The victim’s information (computer name, operating system, and system time) is transmitted.’ ]
  • [T1543] Create/Modify System Process: Windows Service – The Backdoor malware “taskhost.exe” creates a service named “9jzf5” for persistence. [ ‘The Backdoor malware “taskhost.exe” is designed especially for Windows. It creates a service named “9jzf5” for persistence.’ ]
  • [T1027] Obfuscated/Compressed Files and Information – The malware uses XOR decoding and ChaCha20-based decryption to conceal data. [ ‘The XOR key 0xCC’ and ‘ChaCha20 algorithm’ were used to decrypt configuration and data. ]

Indicators of Compromise

  • [URL] Payload download and command URLs – hxxp://181[.]214[.]58[.]14:61231/remote.sh, hxxp://oss[.]17ww[.]vip/21929e87-85ff-4e98-a837-ae0079c9c860[.]txt/test.sh, and 2 more items
  • [IP Address] and Hostname – 181.214.58.14:61231, 209.146.124.181:8030
  • [Domain] Command and update/c2 domains – secure[.]systemupdatecdn[.]de, bots[.]gxz[.]me
  • [SHA256Hash] Sample hashes observed – b80e9466b7bb42959c29546b8c052e67fcaa0f591857617457d5d28348bd8860, d9e8b390f8e2e8a6c2308c723a6a812f59c055ecad4e9098a120e5c4c65d3905
  • [File Name] Script names observed – remote.sh, test.sh
  • [Wallet] Wallet address mentioned – 49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+50000

Read more: https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint