Experts at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have reported a serious incident: hackers gained access to the network of a civilian federal agency by exploiting a critical vulnerability in the GeoServer server software. The issue affected an unpatched version of the platform , allowing attackers to remotely execute code and subsequently infiltrate the system.
The critical vulnerability, designated CVE-2024-36401, was officially fixed on June 18, 2024, but many servers remained unpatched. About a month later, CISA added it to its public registry of actively exploited vulnerabilities. This was due to the public release of demonstration exploits published by several researchers, which demonstrated that the vulnerability allows arbitrary code execution on unprotected machines.
As detailed in the CISA publication, the Shadowserver service detected a wave of attacks related to this vulnerability as early as July 9, 2024. According to ZoomEye’s OSINT platform, there were over 16,000 externally accessible GeoServer servers on the network.
It was through one of these servers that the attackers penetrated the IT system of an unidentified US agency. Just two days after the attacks began, the first server was hacked, followed by a second a couple of weeks later.
The next step was to hack the internal web server and SQL database. The CISA report states that the hackers loaded web shells , including China Chopper, and specialized scripts onto the computers for remote control, data theft, privilege escalation, and command execution.
After penetrating the infrastructure, the attackers moved into an active data collection phase, using, as CISA notes, brute-force password cracking (Tactic T1110) and hijacking service accounts through vulnerable components. For this entire period, approximately three weeks, the malicious activity remained undetected.
The alert didn’t come until July 31, 2024, when the integrated endpoint detection (EDR) tool identified a suspicious file on the SQL Server and sent a signal to the Security Operations Center (SOC). From that point on, the agency, with the assistance of CISA, launched an internal investigation and quarantined the affected systems.
A few days after the initial incident , CISA issued a separate advisory to U.S. critical infrastructure, emphasizing the importance of proactive vulnerability scanning.
While no signs of a breach were detected, the audit highlighted a wide range of risks: insecure password storage, duplicate credentials for local administrators, open remote access, improperly configured network segmentation, and inadequate event logging.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
