A critical security flaw (CVE-2024-36401, CVSS score: 9.8) in OSGeo GeoServer GeoTools and two flaws in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) have been actively exploited in recent campaigns, leading to significant cybersecurity concerns.

Description

A critical security flaw (CVE-2024-36401, CVSS score: 9.8) in OSGeo GeoServer GeoTools has been exploited in campaigns delivering cryptocurrency miners [5], botnet malware like Condi and JenX [2] [3] [5], and the SideWalk backdoor [3] [5]. This vulnerability allows remote code execution by unauthenticated users through specially crafted input [4], impacting GeoServer versions prior to 2.23.6, 2.24.4 [4], and 2.25.2 [4]. Attackers have used this flaw to gain control of vulnerable systems, with the US CISA adding it to its Known Exploited Vulnerabilities catalog [3] [4]. Malicious actors have targeted IT service providers in India [4], US technology companies [3] [4] [5], government entities in Belgium [3] [4] [5], and telecommunications companies in Thailand and Brazil [3] [4] [5]. The SideWalk malware [1], associated with APT41, fetches scripts to download and execute ELF binaries for ARM [4], MIPS [3] [4], and X86 architectures [3] [4], creating backdoors and establishing C2 communication with a server [4]. The malware also leverages Fast Reverse Proxy (FRP) to create encrypted tunnels for malicious activities [4], targeting devices in South America [5], Europe [3] [4] [5], and Asia in a sophisticated and widespread campaign [4].

Additionally, CISA has added two flaws in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124 [5], CVSS scores: 7.5) to its Known Exploited Vulnerabilities catalog [5]. The GOREVERSE malware attempts to establish connections with a command and control server (C2) to execute malicious actions [4]. JenX [2] [3] [4] [5], a Mirai variant [4], downloads and executes files from a specified URL [4], attempting to connect to a C2 server [4]. Condi malware terminates processes [4], downloads and executes bot binaries for various CPU architectures from a remote server [4], targeting ARM [4], MIPS [3] [4], PPC [4], X86 [3] [4], M68K [4], SH4 [4], and MPSL architectures [3] [4].

Conclusion

These security flaws have had significant impacts on various organizations and individuals, highlighting the importance of timely patching and proactive cybersecurity measures. Mitigating these vulnerabilities and staying informed about emerging threats are crucial steps in safeguarding against potential cyber attacks in the future.

References

[1] https://www.bankinfosecurity.com/critical-geoserver-flaw-enabling-global-hack-campaigns-a-26225
[2] https://www.krofeksecurity.com/uncovering-the-geoserver-vulnerability-a-playground-for-backdoors-and-botnet-malware/
[3] https://www.techidee.nl/hackers-richten-zich-op-kwetsbaarheid-geoserver-om-backdoors-en-botnetmalware-te-verspreiden/13822/
[4] https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401
[5] https://thehackernews.com/2024/09/geoserver-vulnerability-targeted-by.html