The newly disclosed security flaw in OSGeo’s GeoServer GeoTools has been exploited by numerous campaigns to provide cryptocurrency miners, botnet malware such as Condi and JenX, and a notorious backdoor called SideWalk.
The security vulnerability is a critical remote code execution flaw (CVE-2024-36401, CVSS score: 9.8) that could allow attackers to take control of sensitive instances.
In mid-July, the US Cybersecurity and Infrastructure Security Agency (CISA) added it to the catalog of known exploitable vulnerabilities (KEV), based on evidence of active use. The Shadowserver Foundation stated that since July 9, 2024, it has detected attempts to use Honeypot sensors.
According to Fortinet’s FortiGuard Labs, the flaw was is observed deliver GOREVERSE, a reverse proxy server designed to establish a connection to the command and control (C2) server for post-operational activities.
These attacks are said to target IT service providers in India, technology companies in the US, government organizations in Belgium and telecommunications companies in Thailand and Brazil.
GeoServer also served as a conduit for Candi and a cloned variant of the Mirai botnet Jenksand at least four types of cryptocurrency miners, one of which is taken from a fake website pretending to be the Institute of Chartered Accountants of India (ICAI).
Perhaps the most notable of the attack chains exploiting the flaw is one that distributes an enhanced Linux backdoor called Sidewalkattributed to a Chinese threat actor tracked as APT41.
The starting point is a shell script responsible for loading ELF binaries for ARM, MIPS, and X86 architectures, which in turn retrieves the C2 server from the encrypted configuration, connects to it, and receives further commands to execute on the jailbroken device.
This involves running a legitimate tool known as Fast Reverse Proxy (FRP) to avoid detection by creating an encrypted tunnel from the host to a server controlled by the attacker, enabling persistent remote access, data theft and payload deployment.
“The main targets appear to be distributed across three main regions: South America, Europe and Asia,” said security researchers Kara Lin and Vincent Lee.
“This geographic spread suggests a sophisticated and far-reaching attack campaign that potentially exploits vulnerabilities common to these diverse markets or targets specific industries prevalent in these areas.”
The development is released as CISA this week added KEV has two flaws in its catalog found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5), which may be is exploited to download arbitrary files from the main operating system with root privileges.
