A U.S. federal agency was breached by cyber threat actors who exploited an unpatched vulnerability in its GeoServer instance. The flaw, identified as CVE-2024-36401, is a critical remote code execution (RCE) issue with a CVSS score of 9.8. This vulnerability was disclosed on June 30, 2024, and proof-of-concept exploits were quickly made public by security researchers. In mid-July 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, a list of security vulnerabilities known to be actively exploited in the wild.
The attackers first gained access to the agency’s network on July 11, 2024. CISA began its incident response after the agency’s endpoint detection and response (EDR) tool flagged potential malicious activity. The attackers exploited the same vulnerability to access a second GeoServer, then moved laterally to two other servers within the network. CISA’s advisory states that the attackers were present in the network for about three weeks before the EDR alerts were triggered.
Once inside, the threat actors employed a variety of sophisticated techniques to maintain their presence and expand their access. They moved laterally to both a web server and an SQL server. The attackers deployed web shells, including China Chopper, and used scripts for persistence, remote access, and privilege escalation. They also leveraged living-off-the-land (LOTL) techniques, which involve abusing legitimate system tools and services to evade detection. To further their access, they attempted to escalate privileges using the publicly available dirtycow tool.
The government’s investigation revealed the attackers’ methodical approach. They first scanned the public-facing GeoServer using Burp Suite, then used a virtual private server (VPS) and public tools to exploit the RCE vulnerability. They executed eval injections, uploaded web shells, and created cron tasks and new accounts for persistence. The attackers also performed brute-force credential attacks, network discovery using tools like fscan and ping sweeps, and moved laterally to other servers. To manage their command and control (C2) operations and bypass the intranet restrictions, they used a multi-level proxy tool called Stowaway.
CISA’s response identified several key takeaways for the affected agency and others. The most significant issue was the failure to promptly patch known vulnerabilities. The agency also had weaknesses in its incident response plan (IRP), which was not regularly tested or exercised and did not allow for prompt engagement with third parties. Additionally, the agency was not continuously reviewing its EDR alerts, and some of its public-facing systems lacked adequate endpoint protection, which allowed the attackers to remain undetected for an extended period.
Reference:
