The Ahnlab Security Intelligence Center (ASEC) has confirmed that unrealized geoserver bodies are still faced with incessant attacks by actors exploiting a critical vulnerability of Distant Code (RCE), identified as CVE-2024-36401.
Geoserver, an open source geographic information system (GIS) developed in Java for the processing of space data, became a main target after vulnerability was disclosed earlier in 2024.
This defect allows unauthorized users to execute arbitrary code on affected systems, opening the door to the deployment of malware.
Vulnerability of geoserver not corrected under siege
Fortinet reports in September 2024 highlighted attack campaigns distributing useful malicious loads like Goreverse, the sidewalk, Mirai, Condi and Coinmingir through this vulnerability.
Similarly, Trend Micro has exposed an operation by the actor of the threat of Baxia Baxia targeting a Taiwanese government agency with tactics of spear pHier operating the same defect, highlighting the global scope of these threats.
South Korea has become a focal point for these attacks, with ASEC documenting infections in Windows environments performing vulnerable geoserver versions.
The exploitation of CVE-2024-36401 probably facilitated the execution of PowerShell commands to install NetCat, a versatile networking tool often poorly used as the opposite shell for the remote control of compromise systems.
Thanks to Netcat, the attackers connected to their control and control servers (C&C), allowing persistent access.
Targeted attacks in South Korea
Following this initial violation, threat actors deployed Xmrig, a notorious cryptocurrency minor used to exploit Monero coins by diverting system resources.
In Windows Systems, the PowerShell scripts downloaded from malicious URLs launched the installation, while in Linux environments, the BASH scripts were probably used to obtain similar results, in particular by ending processes of competing minors and guaranteeing persistence via croning works related to Pastebin.
The Dual-OS targeting strategy demonstrates the sophistication of attackers, because they adapt their approach according to the victim’s environment, maximizing their impact.
The installation of Coinmine, drains not only the performance of the system, but also poses a bridge for other malicious activities, such as theft of data or the deployment of additional malware via the established netcat stolen door.
According to the ReportThe results of ASEC underline the urgent need for organizations to correct their systems, while these attacks continue tirelessly, exploiting the discrepancy of updates of unrealized geoserver bodies in various regions and sectors.
Organizations are strongly advised to update Geoserver to the latest corrected version and to monitor the suspicious network activity associated with these IOCs to mitigate the risks posed by this continuous threat.
Compromise indicators (IOC)
You will find below the key compromise indicators (IOC) identified by ASEC linked to these attacks.
| Type | Indicator |
|---|---|
| MD5 | 0B3744373C32DC6DE80DFC081200D9F8 |
| 310C17C19E90381114D47914BCB3CCF2 | |
| 523613A7B9DFA398CBD5EBD2DD0F4F38 | |
| 5E84C2BCCA9486B6416A8B27ED4D845E | |
| 615B348974FB3B5AEA898A172FADECF4 | |
| URL | http://182.218.82.14/js/1/config.json |
| http://182.218.82.14/js/1/gl.txt | |
| http://182.218.82.14/js/1/gw.txt | |
| http://182.218.82.14/js/1/s.rar | |
| http://182.218.82.14/js/1/startup.sh | |
| IP | 107.180.100.247 |
Stay up to date on daily cybersecurity news. Follow us on Google News,, LiendinAnd X.
