FortiGuard Labs Threat Research team has uncovered a critical vulnerability in GeoServer, identified as CVE-2024-36401, which is currently being exploited by malicious actors. This vulnerability affects GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2, allowing attackers to remotely take control of vulnerable systems and carry out various malicious activities. The severity of this flaw is underscored by its CVSS score of 9.8, highlighting the significant risk it poses to organizations utilizing GeoServer for geospatial data management.
GeoServer, an open-source software server written in Java, serves as a platform for sharing and managing geospatial data. The vulnerability was first identified on July 1, 2024, and attackers have since been exploiting it to infiltrate systems. By manipulating GeoServer’s request parameters, attackers can execute arbitrary code on vulnerable systems, paving the way for malware deployment, cryptojacking, and botnet attacks.
The attackers are leveraging this vulnerability to download malicious scripts from remote servers, enabling them to execute a series of malicious activities. The scripts retrieved often contain instructions for downloading additional malware variants, including GOREVERSE, SideWalk, JenX, Condi Botnet, and cryptocurrency miners like XMRig. The telemetry analysis of the script download URLs reveals a targeted pattern of infections primarily focused on regions in South America, Europe, and Asia, indicating a coordinated and sophisticated attack campaign.
The malware deployed through this vulnerability serves various purposes. For instance, SideWalk creates backdoors on compromised systems to steal sensitive data and maintain persistent access. Additionally, taskhost.exe may create services or scheduled tasks to ensure automatic execution on system startup. Botnets such as JenX and Condi are used for launching DDoS attacks, while cryptocurrency miners hijack system resources for mining activities.
Furthermore, attackers can achieve remote code execution (RCE) using tools like GOREVERSE to execute commands on compromised systems, further fueling the compromise and control of targeted systems. The attack campaign, as reported by FortiGuard Labs, appears to be targeting a broad range of organizations across different regions, including IT service providers in India, government entities in Belgium, technology companies in the US, and telecommunications companies in Thailand and Brazil.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. Fortunately, the vulnerability has been addressed in GeoServer versions 2.23.6, 2.24.4, and 2.25.2. Organizations using GeoServer are advised to update to the latest version to mitigate these risks, implement threat detection tools, and enforce strong access controls to prevent unauthorized access to sensitive data and systems.
In conclusion, the active exploitation of the GeoServer vulnerability highlights the growing threats posed by cyber attackers targeting critical infrastructure and software platforms. It underscores the importance of timely software updates, robust cybersecurity measures, and continuous monitoring to safeguard against evolving cyber threats. Organizations must remain vigilant and proactive in addressing vulnerabilities to prevent potentially devastating attacks on their systems and data.