CISA says hackers breached federal agency using GeoServer exploit

CISA has revealed that attackers breached the network of an unnamed U.S. federal civilian executive branch (FCEB) agency last year after compromising an unpatched GeoServer instance. The security bug (tracked as CVE-2024-36401) is a critical remote code execution (RCE) vulnerability patched on June 18, 2024. CISA added the flaw to its catalog of actively exploited vulnerabilities roughly one month later, after multiple security researchers shared proof-of-concept exploits online [1, 2, 3], demonstrating how to gain code execution on exposed servers. While the cybersecurity agency did not provide any details on how the flaws were being exploited in the wild, threat monitoring service Shadowserver observed CVE-2024-36401 attacks starting on July 9, 2024, while OSINT search engine ZoomEye was tracking over 16,000 GeoServer servers that were exposed online. Two days after the first attacks were detected, threat actors gained access to a U.S. federal agency's GeoServer server and compromised another one roughly two weeks later. In the next stage of the attack, they moved laterally through the agency's network, breaching a web server and an SQL server. "On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation," CISA said in a Tuesday advisory. "Once inside the organization's network, the cyber threat actors primarily relied on brute force techniques [T1110] to obtain passwords for lateral movement and privilege escalation. They also accessed service accounts by exploiting their associated services." The threat actors remained undetected for three weeks until the federal agency's Endpoint Detection and Response (EDR) tool alerted its Security Operations Center (SOC) to the breach, flagging a file as suspected malware on the SQL Server on July 31, 2024. After the attackers' malicious activity triggered additional EDR alerts, the SOC team isolated the server and launched an investigation with CISA's assistance. CISA is now urging network defenders to expedite patching critical vulnerabilities (especially those added to its Known Exploited Vulnerabilities catalog), ensure security operations centers continuously monitor EDR alerts for suspicious network activity, and strengthen their incident response plans. In July, the U.S. cybersecurity agency issued another advisory following a proactive hunt engagement at a U.S. critical infrastructure organization. While it didn't find evidence of malicious activity on its network, it discovered many cybersecurity risks, including but not limited to insecurely stored credentials, shared local admin credentials across multiple workstations, unrestricted remote access for local administrator accounts, insufficient logging, and network segmentation configuration issues.