GeoServer Vulnerability Focused by Hackers to Ship Backdoors and Botnet Malware

Sep 06, 2024Ravie LakshmananCryptocurrency / APT Assault

A just lately disclosed safety flaw in OSGeo GeoServer GeoTools has been exploited as a part of a number of campaigns to ship cryptocurrency miners, botnet malware reminiscent of Condi and JenX, and a identified backdoor referred to as SideWalk.

The safety vulnerability is a crucial distant code execution bug (CVE-2024-36401, CVSS rating: 9.8) that would enable malicious actors to take over vulnerable situations.

In mid-July, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added it to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation. The Shadowserver Basis stated it detected exploitation makes an attempt in opposition to its honeypot sensors beginning July 9, 2024.

In keeping with Fortinet FortiGuard Labs, the flaw has been observed to ship GOREVERSE, a reverse proxy server designed to ascertain a reference to a command-and-control (C2) server for post-exploitation exercise.

These assaults are stated to focus on IT service suppliers in India, know-how corporations within the U.S., authorities entities in Belgium, and telecommunications corporations in Thailand and Brazil.

The GeoServer server has additionally served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at the very least 4 forms of cryptocurrency miners, one in every of which is retrieved from a pretend web site that impersonates the Institute of Chartered Accountants of India (ICAI).

Maybe essentially the most notable of the assault chains leveraging the flaw is the one which propagates a complicated Linux backdoor referred to as SideWalk, which is attributed to a Chinese language menace actor tracked as APT41.

The place to begin is a shell script that is liable for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in flip, extracts the C2 server from an encrypted configuration, connects to it, and receives additional instructions for execution on the compromised system.

This consists of operating a reliable device referred to as Quick Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, permitting for persistent distant entry, information exfiltration, and payload deployment.

“The first targets seem like distributed throughout three predominant areas: South America, Europe, and Asia,” safety researchers Cara Lin and Vincent Li stated.

“This geographical unfold suggests a complicated and far-reaching assault marketing campaign, probably exploiting vulnerabilities frequent to those various markets or concentrating on particular industries prevalent in these areas.”

The event comes as CISA this week added to its KEV catalog two flaws found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) that may very well be exploited to obtain arbitrary recordsdata from the underlying working system with root privileges.