CISA disclosed a breach involving a U.S. federal agency that was exploited through an unpatched GeoServer vulnerability (CVE-2024-36401). Threat actors used web shells and brute-force tactics to infiltrate and move laterally within the network, remaining undetected for weeks. #CVE-2024-36401 #GeoServer #FCEB
Keypoints
- The breach was facilitated by exploiting an unpatched remote code execution vulnerability in GeoServer.
- Security researchers and attack monitoring services identified active exploitation of CVE-2024-36401 starting July 9, 2024.
- Threat actors uploaded web shells and malicious scripts for remote access and privilege escalation after breaching the servers.
- The attackers used brute-force techniques and exploited service accounts for lateral movement within the network.
- The breach was detected after three weeks by endpoint detection tools, leading to an investigation and containment efforts.