A critical security flaw in OSGeo GeoServer GeoTools has been exploited in various cyber campaigns to distribute cryptocurrency miners, botnet malware such as Condi and JenX, and a backdoor named SideWalk.
The vulnerability, identified as a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8), could allow attackers to take control of vulnerable systems.
In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that the flaw was actively exploited, prompting its inclusion in the Known Exploited Vulnerabilities (KEV) catalog. The Shadowserver Foundation detected exploitation attempts against its honeypot sensors beginning on July 9, 2024.
According to Fortinet FortiGuard Labs, the flaw has been utilized to deploy GOREVERSE, a reverse proxy server designed to connect to a command-and-control (C2) server for post-exploitation activities.
These attacks have targeted IT service providers in India, technology firms in the U.S., government organizations in Belgium, and telecom companies in Thailand and Brazil.
Furthermore, the GeoServer server has been used to distribute malware such as Condi, a Mirai botnet variant known as JenX, and multiple cryptocurrency miners. One of these miners is obtained from a fraudulent website pretending to be the Institute of Chartered Accountants of India (ICAI).
One of the notable attack chains leveraging this flaw delivers a sophisticated Linux backdoor named SideWalk, attributed to the Chinese threat actor APT41.
This attack chain involves the downloading and execution of ELF binaries from encrypted configurations, creating encrypted tunnels for remote access, data exfiltration, and payload deployment.
Security researchers Cara Lin and Vincent Li noted that the attacks are centered on South America, Europe, and Asia, indicating a broad and strategic campaign targeting vulnerable industries in these regions.
Recent developments include CISA adding two vulnerabilities in DrayTek VigorConnect from 2021 to its KEV catalog, emphasizing the ongoing threat posed by such exploitable vulnerabilities.
