Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Critical GeoServer Flaw Enabling Global Hack Campaigns
Targets Includes Technology, Government and Telecommunications SectorsCybercriminals are using a critical remote code execution vulnerability in an open-source geospatial data platform to spread malware globally across several industries.
See Also: OnDemand | CybeRx - How to Automatically Protect Rockwell OT Customers from Today’s Cyber-Attacks
Fortinet researchers uncovered a critical vulnerability tracked as CVE-2024-36401, in GeoServer, that allows attackers to execute arbitrary code by sending specially crafted requests. Targets have included the technology, government and telecommunications sectors, said Fortinet.
GeoServer Project maintainers released a patch on July 1. Its software is widely used to share and edit geospatial data. The project follows standards set by the Open Geospatial Consortium for accessing and manipulating geospatial data over the web.
The flaw, which has a CVSS score of 9.8 out of 10, stems from the unsafe evaluation of certain property names as XPath expressions, making it possible for unauthenticated attackers to exploit the default installation of GeoServer. p>
Fortinet said that cybercriminals swiftly capitalized on this weakness, launching multiple campaigns that include botnet families and cryptominers that used the flaw to spread malicious tools such as Goreverse, a tool functioning as a reverse proxy server.
Once deployed, Goreverse establishes a connection with a command-and-control server, enabling attackers to control the compromised system and execute further malicious actions.
Among the attackers exploiting the flaw are those behind the SideWalk malware, a Linux backdoor linked to the Chinese state-sponsored group APT41. SideWalk targets various system architectures and uses advanced encryption techniques to establish C2 communication, exfiltrate data and maintain persistence in compromised systems.
The malware also uses Fast Reverse Proxy to create encrypted tunnels, allowing attackers to conceal their activities by blending malicious traffic with legitimate network traffic.
Researchers observed active exploitation of this vulnerability worldwide, including IT service providers in India, government agencies in Belgium, technology companies in the U.S., and telecommunications firms in Brazil and Thailand.
The U.S. Cybersecurity and Infrastructure Security Agency on July 15 added the GeoServer vulnerability to its Known Exploited Vulnerabilities catalog.