US federal agency breached by hackers using GeoServer exploit, CISA says

News
By published

A timely patching could have prevented the attack

Data breach
(Image credit: Shutterstock)
  • Attackers exploited a critical GeoServer flaw to breach a US federal agency in July 2024
  • China Chopper web shell enabled remote access and lateral movement across compromised systems
  • CISA urges timely patching, tested response plans, and continuous alert monitoring

In mid-July 2024, a threat actor managed to break into a US Federal Civilian Executive Branch (FCEB) agency by exploiting a critical remote code execution (RCE) vulnerability in GeoServer, the government has confirmed.

In an in-depth report detailing the incident, the US Cybersecurity and Infrastructure Security Agency (CISA) outlined how the attackers leveraged CVE-2024-36401, a 9.8/10 vulnerability that granted RCE capabilities through specially crafted input against a default GeoServer installation.

GeoServer is an open source server platform that enables users to share, edit, and publish geospatial data using open standards.

Lessons learned

The vulnerability was disclosed on June 30, and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog by July 15, but by that time, it was already too late since the miscreants established persistence on compromised endpoints.

The damage could have been reduced with timely patching, though, as a second GeoServer instance was breached on July 24.

Once inside, the attackers conducted extensive reconnaissance using tools like Burp Suite, fscan, and linux-exploit-suggester2.pl.

They moved laterally across the network, compromising a web server and an SQL server, and deploying web shells on each system.

Among them was China Chopper, a lightweight web shell used for remote access and control over compromised servers. Once installed, it allows attackers to execute commands, upload files, and pivot within networks.

CISA did not attribute this attack to any known threat actor, but from previously reported incidents it is known that China Chopper is widely used by advanced persistent threat (APT) groups, particularly those linked to Chinese state-sponsored operations such as APT41.

The goal of CISA’s report was to share lessons learned from the incident, and apparently those lessons are: patch your systems on time, make sure to have an incident response plan (and test/exercise it!), and continuously review alerts.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.