Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management

Critical GeoServer Flaw Enabling Global Hack Campaigns

Targets Includes Technology, Government and Telecommunications Sectors
Critical GeoServer Flaw Enabling Global Hack Campaigns
A critical vulnerability in the GeoServer platform - for which the GeoServer Project released a patch in July - is enabling hacking campaigns globally. (Image: Shutterstock)

Cybercriminals are using a critical remote code execution vulnerability in an open-source geospatial data platform to spread malware globally across several industries.

See Also: How to Build Your Cyber Recovery Playbook

Fortinet researchers uncovered a critical vulnerability tracked as CVE-2024-36401, in GeoServer, that allows attackers to execute arbitrary code by sending specially crafted requests. Targets have included the technology, government and telecommunications sectors, said Fortinet.

GeoServer Project maintainers released a patch on July 1. Its software is widely used to share and edit geospatial data. The project follows standards set by the Open Geospatial Consortium for accessing and manipulating geospatial data over the web.

The flaw, which has a CVSS score of 9.8 out of 10, stems from the unsafe evaluation of certain property names as XPath expressions, making it possible for unauthenticated attackers to exploit the default installation of GeoServer. p>

Fortinet said that cybercriminals swiftly capitalized on this weakness, launching multiple campaigns that include botnet families and cryptominers that used the flaw to spread malicious tools such as Goreverse, a tool functioning as a reverse proxy server.

Once deployed, Goreverse establishes a connection with a command-and-control server, enabling attackers to control the compromised system and execute further malicious actions.

Among the attackers exploiting the flaw are those behind the SideWalk malware, a Linux backdoor linked to the Chinese state-sponsored group APT41. SideWalk targets various system architectures and uses advanced encryption techniques to establish C2 communication, exfiltrate data and maintain persistence in compromised systems.

The malware also uses Fast Reverse Proxy to create encrypted tunnels, allowing attackers to conceal their activities by blending malicious traffic with legitimate network traffic.

Researchers observed active exploitation of this vulnerability worldwide, including IT service providers in India, government agencies in Belgium, technology companies in the U.S., and telecommunications firms in Brazil and Thailand.

The U.S. Cybersecurity and Infrastructure Security Agency on July 15 added the GeoServer vulnerability to its Known Exploited Vulnerabilities catalog.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.