How threat actors breached a U.S. federal civilian agency by exploiting a GeoServer flaw

US CISA revealed that threat actors exploited an unpatched vulnerability in GeoServer to breach a U.S. federal civilian agency’s network.

Threat actors breached a U.S. federal agency via unpatched GeoServer flaw, tracked as CVE-2024-36401 (CVSS score of 9.8), which is a critical remote code execution (RCE) issue.

In mid-July 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

GeoServer is an open-source server that allows users to share and edit geospatial data. The vulnerability, was disclosed on June 30, 2024. Multiple researchers published online proof-of-concept exploits [1, 2] for this vulnerability.

CISA launched incident response at a U.S. FCEB agency after its EDR tool detected potential malicious activity. The attackers gained access to the agency’s network on July 11, 2024.

Once inside the agency’s network, the attackers exploited the same vulnerability to access a second GeoServer and moved laterally to two other servers.

“CISA began incident response efforts at an FCEB agency after the agency identified potential malicious activity through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA discovered cyber threat actors compromised the agency by exploiting CVE-2024-36401
 in a GeoServer about three weeks prior to the EDR alerts.” reads the advisory published by CISA. “Over the three-week period, the cyber threat actors gained separate initial access to a second GeoServer via the same vulnerability and moved laterally to two other servers.”

Threat actors moved laterally to a web and SQL server, deploying web shells like China Chopper and scripts for persistence, remote access, and privilege escalation. They also leveraged living-off-the-land techniques to evade detection.

Government’s investigation revealed that the threat actors scanned the public GeoServer with Burp, then used a VPS and public tools to exploit CVE-2024-36401 to achieve RCE on two GeoServers. They ran eval injections, uploaded web shells, created cron tasks and accounts to maintain persistence. Then attackers tried to escalate privileges with the publicly available dirtycow tool. To evade detection they abused xp_cmdshell, BITS jobs and LOTL techniques. Threat actors performed brute-force credential access, network discovery with fscan and ping sweeps, and moved laterally to web and SQL servers.

“They used Stowaway [5], a publicly available multi-level proxy tool, to establish C2 [T1090
]. Stowaway enabled the cyber threat actors to bypass the organization’s intranet restrictions and access internal network resources by forwarding traffic from their C2 server through the Web Server. They wrote Stowaway to disk using a tomcat service account.” continues the advisory.

CISA shared the following lessons learned:

• Vulnerabilities were not promptly remediated.
• The agency did not test or exercise their IRP, nor did their IRP enable them to promptly engage third parties and grant third parties’ access to necessary resources.
• EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)