- Attackers utilized a critical geoses server -error to break an American federal agency in July 2024
- China Chopper Web Shell activated remote access and lateral movement across compromised systems
- CISA calls for timely patching, tested response plans and continuous alarm surveillance
In mid -July 2024, a threat actor succeeded in breaking into an American federal civilian executive branch (FCCEB) agency by exploiting a critical remote code performance (RCE) vulnerability in geoses server, the government has confirmed.
In an in-depth report describing the incident, US cyber security and infrastructure security agency (CISA) outlined how attackers utilized CVE-2024-36401, a 9.8/10-vulnerability that assigned RCE capacities through specially designed input against a standard geosering installation.
Geoserver is an open source server platform that allows users to share, edit and publish geospatial data using open standards.
Experience
The vulnerability was revealed on June 30 and added to CISA’s well -known utilized vulnerabilities (KEV) catalog before July 15, but at that time it was already too late since the Miscreant’s established persistence on compromised final points.
However, the damage could have been reduced by timely lapping when another geoses server body was violated on July 24.
When they were inside, attackers conducted extensive reconnaissance using tools such as Burp Suite, FSCAN and Linux-Exploit Suggester2.pl.
They moved laterally over the network, compromised a web server and a SQL server and implemented web shells on each system.
Among them was China Chopper, a light web shell used for remote access and control over compromised servers. Once installed, it allows attackers to perform commands, upload files and turns within networks.
CISA does not attribute this attack to any known threat actor, but from previously reported events, it is known that China Chopper is widely used by advanced sustained threat (APT) groups, especially those associated with Chinese state -sponsored operations such as APT41.
The goal of CISA’s report was to share experiences from the incident, and apparently these lessons are: patch your systems on time, make sure you have an event response plan (and test/practice it!), And continuously undergo alarms.
Via Bleeping computer
