Have you ever thought about how hackers infiltrate government systems? CISA just reported that attackers exploited a vulnerability in GeoServer to infiltrate a U.S. federal agency. This was not a random occurrence, but reiterates the dangers of having outdated software.
remote code execution (RCE) vulnerability. This means that if this vulnerability is not patched, hackers can run commands on the server from any location. CISA had issued an update on 6/18/2024. However, many servers still had not been patched and were not alone to this exploit.
Researchers even thought it was useful to post proof-of-concept level exploits to demonstrate how trivial it was to take control of publicly exposed GeoServer instances. On 07/09, threat-meters such as Shadowserver started observing attacks against GeoServer implentations. For example, one scan found over 16000 GeoServer servers on the Internet.
The hackers deployed web shells such as China Chopper, which allowed them the ability to run code and gain administrative access to the servers. They were also able to leverage brute-force attacks where they were successful in guessing passwords and taking control of user accounts. Incredible, the hackers operated for approximately three weeks without detection when the agency’s security system recognized the presence of irregular files.
The Vulnerability
The vulnerability was designated CVE-2024-36401, and was a severeResearchers even thought it was useful to post proof-of-concept level exploits to demonstrate how trivial it was to take control of publicly exposed GeoServer instances. On 07/09, threat-meters such as Shadowserver started observing attacks against GeoServer implentations. For example, one scan found over 16000 GeoServer servers on the Internet.
Overview of the Incident
Following the onset of the attacks, within two days, the mandatory hackers gained access to a GeoServer of a federal agency. Within approximately two weeks, they compromised another server, after which they navigated through the network pivoting to a web server and an SQL server, thus compromising two new servers during the attack.The hackers deployed web shells such as China Chopper, which allowed them the ability to run code and gain administrative access to the servers. They were also able to leverage brute-force attacks where they were successful in guessing passwords and taking control of user accounts. Incredible, the hackers operated for approximately three weeks without detection when the agency’s security system recognized the presence of irregular files.
CISA’s Recommendations
Once the breach was identified, the agency disconnected the servers and coordinated their incident response actions with CISA. Now, CISA advises organizations to:- Apply the latest versions of critical software at once
- Be vigilant on any security alerts
- Ensure an effective incident response capability
