- Attackers exploited a critical GeoServer flaw to breach a US federal agency in July 2024
- China Chopper web shell enabled remote access and lateral movement across compromised systems
- CISA urges timely patching, tested response plans, and continuous alert monitoring
In mid-July 2024, a threat actor managed to break into a US Federal Civilian Executive Branch (FCEB) agency by exploiting a critical remote code execution (RCE) vulnerability in GeoServer, the government has confirmed.
In an in-depth report detailing the incident, the US Cybersecurity and Infrastructure Security Agency (CISA) outlined how the attackers leveraged CVE-2024-36401, a 9.8/10 vulnerability that granted RCE capabilities through specially crafted input against a default GeoServer installation.
GeoServer is an open source server platform that enables users to share, edit, and publish geospatial data using open standards.
Lessons learned
The vulnerability was disclosed on June 30, and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog by July 15, but by that time, it was already too late since the miscreants established persistence on compromised endpoints.
The damage could have been reduced with timely patching, though, as a second GeoServer instance was breached on July 24.
Once inside, the attackers conducted extensive reconnaissance using tools like Burp Suite, fscan, and linux-exploit-suggester2.pl.
They moved laterally across the network, compromising a web server and an SQL server, and deploying web shells on each system.
Among them was China Chopper, a lightweight web shell used for remote access and control over compromised servers. Once installed, it allows attackers to execute commands, upload files, and pivot within networks.
CISA did not attribute this attack to any known threat actor, but from previously reported incidents it is known that China Chopper is widely used by advanced persistent threat (APT) groups, particularly those linked to Chinese state-sponsored operations such as APT41.
The goal of CISA’s report was to share lessons learned from the incident, and apparently those lessons are: patch your systems on time, make sure to have an incident response plan (and test/exercise it!), and continuously review alerts.
Via BleepingComputer
