The US cybersecurity company CISA has shared particulars on the exploitation of a year-old GeoServer vulnerability to compromise a federal civilian government department (FCEB) company.
The exploited bug, tracked as CVE-2024-36401 (CVSS rating of 9.8) and resulting in distant code execution (RCE), was disclosed on June 30, 2024, two weeks earlier than CISA added it to the KEV catalog.
On July 11, 2024, 4 days earlier than CISA’s alert, a menace actor exploited the bug to achieve entry to a GeoServer occasion pertaining to the sufferer company, then moved laterally to an internet server and to an SQL server.
“On every server, they uploaded (or tried to add) internet shells akin to China Chopper, together with scripts designed for distant entry, persistence, command execution, and privilege escalation. The cyber menace actors additionally used living-off-the-land (LOTL) strategies,” CISA explains in a contemporary report.
On July 24, ten days after the bug was added to the KEV listing, the menace actor exploited the identical vulnerability in one other GeoServer occasion belonging to the identical company.
The attackers dropped internet shells and created cron jobs and consumer accounts to take care of persistence, after which tried to escalate privileges, together with by exploiting the Soiled COW vulnerability within the Linux kernel.
“After compromising internet service accounts, they escalated their native privileges to transition away from these service accounts (it’s unknown how they escalated privileges),” CISA explains.
The menace actor additionally used brute drive assaults to acquire passwords permitting it to maneuver laterally and elevate privileges, carried out reconnaissance utilizing available instruments, downloaded payloads utilizing PowerShell, and deployed the Stowaway multi-level proxy instrument for command-and-control (C&C).
“The cyber menace actors remained undetected within the group’s setting for 3 weeks earlier than the group’s SOC recognized the compromise utilizing their EDR instrument,” CISA notes.
In accordance with the cybersecurity company, the sufferer was throughout the KEV-required patching window for the GeoServer bug, however lacked procedures for bringing in third events for help, didn’t detect the exercise on July 15, 2024, when it missed an EDR alert on Stowaway, and didn’t have endpoint safety applied on the net server.
Whereas CISA has not attributed the assault to a particular menace actor, the China Chopper internet shell is often utilized in assaults by China-linked menace actors akin to APT41 (Brass Hurricane), Gallium (Granite Hurricane), and Hafnium (Silk Hurricane).
Believed to have orchestrated final 12 months’s US Treasury hack, Silk Hurricane is understood for focusing on vital infrastructure organizations worldwide, and for hacking a number of industries in North America.
“China Chopper has been round for over a decade, and it’s the identical internet shell used within the 2021 Trade assaults. The actual difficulty is that attackers chained a well known exploit, moved laterally, and remained contained in the community for practically three weeks earlier than anybody seen, even with EDR deployed. That’s the trendy hazard we’re coping with. It’s not unique zero-days, however gaps that go unpatched and undetected till it’s too late,” Tuskira CEO and co-founder Piyush Sharma stated.
