- The attackers exploited a critical geoserver flaw to break an American federal agency in July 2024
- China Chopper Web Shell allowed remote access and lateral movement through compromise systems
- The CISA urges appropriate fixes, response plans tested and continuous surveillance of alerts
In mid-July 2024, a threat player managed to enter a Federal Agency in the United States Civil Executive Branch (FCEB) by exploiting a Critical Vulnerability of the Distance Code (RCE) in Geoserver, the government confirmed.
In a detailed report detailing the incident, the American Cybersecurity and Infrastructure Safety Agency (CISA) described how attackers exploited the CVE-2024-36401, a vulnerability of 9.8/10 which has granted RCE capacities through a contribution specially designed against a default gear installation.
Geoserver is an open source server platform that allows users to share, edit and publish geospatial data using open standards.
Lessons learned
The vulnerability was disclosed on June 30 and added to the known catalog of the exploited vulnerabilities (KEV) of Cisa by July 15, but at that time, it was already too late since the disbelievers established a persistence on compromise termination criteria.
The damage could have been reduced with appropriate -time fixes, however, because a second body of geoserver was raped on July 24.
Once inside, the attackers carried out in-depth recognition using tools like Burp Suite, Fscan and Linux-Exploit-Sugester2.pl.
They moved laterally on the network, compromising a web server and an SQL server, and deployment of web shells on each system.
Among them was China Chopper, a light web shell used for remote access and control of compromise servers. Once installed, it allows attackers to run commands, download files and rotate in the networks.
The CISA has not attributed this attack to any known threat player, but from previously reported incidents, it is known that China Chopper is widely used by advanced persistent threat groups (APT), in particular those linked to Chinese operations sponsored by the State such as APT41.
The objective of the CISA report was to share the lessons learned from the incident, and apparently, these lessons are as follows: patcher your systems in time, make sure you have a response plan to incidents (and test it!) And to continue the alerts continuously.
Via Bleeping Compompute
