Critical GeoServer Flaw Enabling Global Hack Campaigns

Summary: A critical vulnerability in the GeoServer platform is being exploited by cybercriminals to launch global hacking campaigns, affecting various sectors including technology, government, and telecommunications. The vulnerability allows for remote code execution, enabling attackers to deploy malware and maintain control over compromised systems.

Threat Actor: APT41 | APT41
Victim: Various sectors | technology, government, and telecommunications sectors

Key Point :

  • Vulnerability tracked as CVE-2024-36401 allows remote code execution via specially crafted requests.
  • Cybercriminals are using the flaw to deploy malware such as Goreverse and SideWalk, a Linux backdoor linked to APT41.
  • The U.S. Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities catalog.
  • Targets include IT service providers in India, government agencies in Belgium, and telecommunications firms in Brazil and Thailand.

Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Targets Includes Technology, Government and Telecommunications Sectors

Critical GeoServer Flaw Enabling Global Hack Campaigns
A critical vulnerability in the GeoServer platform – for which the GeoServer Project released a patch in July – is enabling hacking campaigns globally. (Image: Shutterstock)

Cybercriminals are using a critical remote code execution vulnerability in an open-source geospatial data platform to spread malware globally across several industries.

See Also: Securing Hybrid Infrastructures

Fortinet researchers uncovered a critical vulnerability tracked as CVE-2024-36401, in GeoServer, that allows attackers to execute arbitrary code by sending specially crafted requests. Targets have included the technology, government and telecommunications sectors, said Fortinet.

GeoServer Project maintainers released a patch on July 1. Its software is widely used to share and edit geospatial data. The project follows standards set by the Open Geospatial Consortium for accessing and manipulating geospatial data over the web.

The flaw, which has a CVSS score of 9.8 out of 10, stems from the unsafe evaluation of certain property names as XPath expressions, making it possible for unauthenticated attackers to exploit the default installation of GeoServer. p>

Fortinet said that cybercriminals swiftly capitalized on this weakness, launching multiple campaigns that include botnet families and cryptominers that used the flaw to spread malicious tools such as Goreverse, a tool functioning as a reverse proxy server.

Once deployed, Goreverse establishes a connection with a command-and-control server, enabling attackers to control the compromised system and execute further malicious actions.

Among the attackers exploiting the flaw are those behind the SideWalk malware, a Linux backdoor linked to the Chinese state-sponsored group APT41. SideWalk targets various system architectures and uses advanced encryption techniques to establish C2 communication, exfiltrate data and maintain persistence in compromised systems.

The malware also uses Fast Reverse Proxy to create encrypted tunnels, allowing attackers to conceal their activities by blending malicious traffic with legitimate network traffic.

Researchers observed active exploitation of this vulnerability worldwide, including IT service providers in India, government agencies in Belgium, technology companies in the U.S., and telecommunications firms in Brazil and Thailand.

The U.S. Cybersecurity and Infrastructure Security Agency on July 15 added the GeoServer vulnerability to its Known Exploited Vulnerabilities catalog.

Source: https://www.bankinfosecurity.com/critical-geoserver-flaw-enabling-global-hack-campaigns-a-26225