Researchers at FortiGuard Labs have uncovered multiple campaigns targeting a critical vulnerability in GeoServer, allows unauthenticated attackers to execute arbitrary code on affected systems, leading to serious consequences such as malware deployment, data theft, or unauthorized system control.
The vulnerability tracked as CVE-2024-36401 with a CVSS score of 9.8 stems from unsafely handling user input within the UMTX_OP_SHM operation, which provides anonymous shared memory for process-shared mutexes. When exploited, attackers can inject specially crafted inputs to trigger remote code execution, allowing them to execute malicious scripts or commands on the server.
The most common payload identified during the exploitation is the GOREVERSE malware, a reverse proxy tool designed to give attackers access to compromised systems. Once executed, GOREVERSE establishes a connection to a command-and-control (C2) server, allowing threat actors to exfiltrate sensitive data, deploy additional malware, or maintain persistence within the network.
In other campaigns threat actors have also deployed the SideWalk malware, a sophisticated backdoor often associated with APT41, a notorious state-sponsored hacking group. SideWalk is highly stealthy and can operate on multiple architectures, including ARM, MIPS, and X86, making it a versatile tool for targeting diverse systems. Additionally, researchers have also discovered Mirai Variant – JenX, Condi, Coin Miners exploiting the vulnerabilities
The exploitation of this vulnerability is significantly targeting IT service providers in India, technology firms in the U.S., government agencies in Belgium, and telecommunications companies in Thailand and Brazil. This global spread indicates that the vulnerability is being exploited in sophisticated, coordinated attacks aimed at critical infrastructure and key industries.
Modus of Operandi
Threat actors initiate the exploitation by sending malicious payloads to vulnerable GeoServer installations. The payload typically downloads a script that checks the victim’s operating system and architecture before downloading and executing the appropriate malware. The attack chain continues with further stages designed to escalate privileges, establish persistence, and evade detection.
Updates
GeoServer project maintainers have addressed the vulnerability in versions 2.23.6, 2.24.4, and 2.25.2 by replacing the vulnerable XPath evaluation function with a safer alternative. Organizations running older versions of GeoServer are strongly urged to upgrade to these patched versions immediately.
Indicators of Compromise
- hxxp://181[.]214[.]58[.]14:61231/remote.sh
- hxxp://1[.]download765[.]online/d
- hxxp://188[.]214[.]27[.]50:4782/sky
- hxxp://209[.]146[.]124[.]181:8030/bot[.]arm
- hxxp://209[.]146[.]124[.]181:8030/bot[.]arm5
- hxxp://209[.]146[.]124[.]181:8030/bot[.]arm6
- hxxp://209[.]146[.]124[.]181:8030/bot[.]arm7
- hxxp://209[.]146[.]124[.]181:8030/bot[.]m68k
- hxxp://209[.]146[.]124[.]181:8030/bot[.]mips
- hxxp://209[.]146[.]124[.]181:8030/bot[.]mpsl
- hxxp://209[.]146[.]124[.]181:8030/bot[.]ppc
- hxxp://209[.]146[.]124[.]181:8030/bot[.]sh4
- hxxp://209[.]146[.]124[.]181:8030/bot[.]x86
- hxxp://209[.]146[.]124[.]181:8030/bot[.]x86_64
- hxxp://209[.]146[.]124[.]181:8030/JrLinux
- hxxp://209[.]146[.]124[.]181:8030/Linux2[.]4
- hxxp://209[.]146[.]124[.]181:8030/Linux2[.]6
- hxxp://209[.]146[.]124[.]181:8030/taskhost[.]exe
- hxxp://oss[.]17ww[.]vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/test.sh
- hxxp://oss[.]17ww[.]vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/sshd
- hxxp://ec2-54-191-168-81[.]us-west-2.compute.amazonaws.com/css/linuxsys
- hxxp://ec2-54-191-168-81[.]us-west-2.compute.amazonaws.com/css/config.json
- hxxp://ec2-13-250-11-113[.]ap-southeast-1.compute.amazonaws.com/css/linuxsys
- hxxp://ec2-13-250-11-113[.]ap-southeast-1.compute.amazonaws.com/css/config.json
- hxxp://95[.]85[.]93[.]196:80/h4
- hxxp://112[.]133[.]194[.]254/cron.sh
- hxxp://112[.]133[.]194[.]254/check.sh
- hxxp://112[.]133[.]194[.]254/config.sh
- 181[.]214[.]58[.]14:18201
- 47[.]253[.]46[.]11
- secure[.]systemupdatecdn[.]de
- 188[.]214[.]27[.]50
- bots[.]gxz[.]me
- 209[.]146[.]124[.]181
- sdfasdfsf[.]9527527[.]xyz:3333
- gsdasdfadfs[.]9527527[.]xyz:3333
- pool[.]supportxmr[.]com:80
- 95[.]85[.]93[.]196:4443
- pool[.]supportxmr[.]com:3333
- 59[.]59[.]59[.]59
- b80e9466b7bb42959c29546b8c052e67fcaa0f591857617457d5d28348bd8860
- d9e8b390f8e2e8a6c2308c723a6a812f59c055ecad4e9098a120e5c4c65d3905
- 79c9532fb6ef2742e207498bfe2b2ee09aa9773376ac0e56085083aab17b98be
- 5cc7e35254347f705422800bfb7fe29c6002e2537f6bac0ff996a720dfb5f48e
- fabbb4611fb9df5d8f208d9353be0b73c3942fe78903da096cbfe2f47c9e3566
- 1588bee7db42495ba7e6e34d217e6b82c5ab93f27c1eea68435cbb9e7792f9be
- e8b0f5a952f07c83c4d67809ac0715c7164d518323d8038542e84aab8456db43
- 3c73ebc7a85accc65c9ee5bf151f70b990e5a12f27a843ca21c0f9d9a10fd17d
- 9bf642a7e14f0a0b0a784f00a0d1cf590ac60ae5ae378d29d435519f4d9dbf2b
- 994b924b00fb56e12a6a987c4cdf65dd05a221c47b5fc0a7a2babf1f05c2ed38
- c226744b40e8f5d2cf95b4fb2537ff00e222ecc2d24c5096ecfadb14b4a47f97
- 96cf27a66b629d2b19708c6887441a8422b40dc0e9e7c5c0f2212efe0b6b3323
- b3a015b6650ec9800fa878ff9a5f732013806c8dcb0e7069515dae0dd380fda4
- 50b7e615b8cdc45486b6ed1c1c081c7a92c262edb84318fa864531dcab753f82
- f7b97677b6387c1f02d429e98868bf6973a8dec14dfee2516a27e885d6b1c780
- b60d7fb66caf103a04e81fb89dbb05111b4b0ef513f3769c8e0a8106ab01a075
- a9e7b5284182d3881c865895ee6e0fb03273eec3dcbf4bfc82dd2b069245beae
- c3101b0b74d76a95ba91b6cc4945657e928d2dac8fdf926ffbf09031d46e9186
- b67ab1b9b66fdc2c4ed1689698a54a347c2bdd6eaff87039ae337675243670d8
- 83fb74bb852bbd722e6ebc4e249e49cb4bb4194493a26d62d4bfcdfca2998412
- 53994a35a57970dea48e97009f65ad045b69a83234b771b106446211376a6866
- f3d3572ef96c9c59e137425ca6804e1b86b7f8b57210a3724d567017460774de
- 1af8e068aa7377f0055640af581a412aa9d7288c912a93dd0d739657af0079fb
- 1abd8cbd64d1d9c8d56b7ea6273ed62e1471f300fabc67dbc2416a48e2faf33d
- addccd0ecb643251af2e79e878b19a8e9c8f1c87302e732ef057cdba821f4b30
- d9dfe98b5fba09e17dbe29dfeb8deb7d777d4a3b0d670914691ed360b916116a
- d9dfe98b5fba09e17dbe29dfeb8deb7d777d4a3b0d670914691ed360b916116a
- 8d3440301bc94ed83cdafb69e4b0166d3a0020eb4f38e9fa159c2f13f14b2d29
- a13a979f4ca57450528bb6cd7aa2bf47d2eea211053eb1a14b8c4a44fd661831
- 7194ec436231c2a383ffc7c75eef4f5b5a952c18fa176ffd0830667835a80533
- 20d97f144bf7b1662a13ac537715126b9b2f68eff46a4a09234743ae236f0177
- d72e4cabffc84a31e50caf827b6e579cf6e4932e5cbc528a65a68728ba56b65b
- 5abf8a52d45f6d5970fab8d1dfd05b6ee7b0ef57df935f45761b89d3522fa592
- 24e80d66759b1c7a075aeb4fe0321eb6ac49eaf509089fd2882874ec6228d085
- 7355cc094f2e43e4dd7b8b698b559abe6d2d74cc48f5cfa464424314c6e41944
- 689504850db842365cd47eadd2d3d42888b9261e7d9e884f14bb7deeb21bb61d
- 762707f2c7fc4731c4c46ecb3364a4e7ace8984aa899cc57c624b342d3efa03f
- 4234eb5eb42fbe44d7163c4388d263b3fe57fb1e56bf56152ac352c3fd0beec0
- 373734730d8414d32883ebbd105c7a7c58397df995759c4e0bd367f2523d302d
- d1d25730122f8bc125251832c6af03aedd705dfcc2d9eebcce4371c54bb84b39
- 3dce929b1c091abac3342788624f1ffa4be5d603eec4d7ab39b604694ac05d22
- eb2f95bb2059a3690259f2c0d7537b3cad858869650b9c220d2d81e3720b6dde
- 2e0e324e36fafe71f5d2bcf521e6415dafbc3f1173ad77f1f3daa77bb581da5f
- 5d9eb83b4a6f2d49580e1658263eb972be336a2cad15a84561d17d59391191b0
- 75d7b6264f5a574bc75400c9d57282e9344d8b2df576ad2a36ab7e2575d5a395
- e5e5122ba6d0b06f7ed8e57ab5324ae730970c0d23913f27b9ecc9094182c03d
- 275302d03a4378f1b852e6d783d3181c2899ae0e9ebad4c7160221320863c425
- 653a4ad0b00e59a01142f899b6aac9712cfb25063b5b9b2e7e3171f7f3a897ed
- 8fad39ec0671d9b401712ddbc1f24942b2ee2f4865b6ffcd2f019036e03cbade
- c8b76b63644d2946fd0af72b48fa59f07a78e1f84464cff5e9b1ca4110e6113e
- 3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
- 7d052cffcf97b303d11c5d35fa9bc860155601cdea21e38447401571b35d2db1
- c81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819
- bf56711bbe0b1dac3b1481d36e7ae2f312da5f404c554c2c45a01fe591b8464d
- 5c9722d3dc72dbeafec00256887867bad46d347a5fc797d57fc9e0fd317035d3
- 3369ddc627282eb38346e1a56118026dd3ccdb29b18ffff88ecf3663296ee6da
