The US cybersecurity agency CISA has shared details on the exploitation of a year-old GeoServer vulnerability to compromise a federal civilian executive branch (FCEB) agency.
The exploited bug, tracked as CVE-2024-36401 (CVSS score of 9.8) and leading to remote code execution (RCE), was disclosed on June 30, 2024, two weeks before CISA added it to the KEV catalog.
On July 11, 2024, four days before CISA’s alert, a threat actor exploited the bug to gain access to a GeoServer instance pertaining to the victim agency, then moved laterally to a web server and to an SQL server.
“On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living-off-the-land (LOTL) techniques,” CISA explains in a fresh report.
On July 24, ten days after the bug was added to the KEV list, the threat actor exploited the same vulnerability in another GeoServer instance belonging to the same agency.
The attackers dropped web shells and created cron jobs and user accounts to maintain persistence, and then attempted to escalate privileges, including by exploiting the Dirty COW vulnerability in the Linux kernel.
“After compromising web service accounts, they escalated their local privileges to transition away from these service accounts (it is unknown how they escalated privileges),” CISA explains.
The threat actor also used brute force attacks to obtain passwords allowing it to move laterally and elevate privileges, performed reconnaissance using readily available tools, downloaded payloads using PowerShell, and deployed the Stowaway multi-level proxy tool for command-and-control (C&C).
“The cyber threat actors remained undetected in the organization’s environment for three weeks before the organization’s SOC identified the compromise using their EDR tool,” CISA notes.
According to the cybersecurity agency, the victim was within the KEV-required patching window for the GeoServer bug, but lacked procedures for bringing in third parties for assistance, did not detect the activity on July 15, 2024, when it missed an EDR alert on Stowaway, and did not have endpoint protection implemented on the web server.
While CISA has not attributed the attack to a specific threat actor, the China Chopper web shell is typically used in attacks by China-linked threat actors such as APT41 (Brass Typhoon), Gallium (Granite Typhoon), and Hafnium (Silk Typhoon).
Believed to have orchestrated last year’s US Treasury hack, Silk Typhoon is known for targeting critical infrastructure organizations worldwide, and for hacking multiple industries in North America.
“China Chopper has been around for over a decade, and it’s the same web shell used in the 2021 Exchange attacks. The real issue is that attackers chained a well-known exploit, moved laterally, and remained inside the network for nearly three weeks before anyone noticed, even with EDR deployed. That’s the modern danger we’re dealing with. It’s not exotic zero-days, but gaps that go unpatched and undetected until it’s too late,” Tuskira CEO and co-founder Piyush Sharma said.
Related: All Microsoft Entra Tenants Were Exposed to Silent Compromise via Invisible Actor Tokens: Researcher
Related: SonicWall Updates SMA 100 Appliances to Remove Overstep Malware
Related: Sesame Workshop Regains Control of Elmo’s Hacked X Account After Racist Posts
Related: How Do You Know If You’re Ready for a Red Team Partnership?
