overview

FortiGuard Labs has recently discovered a flaw in the OSGeo GeoServer GeoTools, and has observed the flaw being exploited to deliver malware such as GOREVERSE and SideWalk/Winnti.  

OSGeo GeoServer and GeoTools are open source tools providing geospatial software and mapping tools utilized by many organizations across a wide range of sectors.  

The flaw, tracked as CVE-2024-36401, has been leveraged to deliver crypto-currency miners, botnet malware and an advanced Linux backdoor called Sidewalk, known to be used by the Chinese threat actor APT41.  

Part of the process for exploiting this vulnerability involves running a legitimate tool, Fast Reverse Proxy, to evade detection by creating an encrypted tunnel to the attacker’s command and control server.  

OSGeo has released updates for 3 versions of GeoServer that address this vulnerability as well as other security concerns, and customers are urged to update as soon as possible.  

 

 

how avertium is protecting our customers

 

IOCs ADDED TO OUR THREAT FEEDS

NOTE!: Avertium is actively searching across all monitored environments for the IoC’s listed below. If any are discovered, we will reach out to you directly. If your environment or portions of your environment are not currently being monitored, please reach out to your Service Delivery Manager. 

 

GOREVERSE 

  • fe0b76601775168fdf495e32cb79c4edc58336cc8044a93601d70886a7742233 
  • ea32e456a0ccbfcbcfe52130463190cebdb9f503 
  • ea32e456a0ccbfcbcfe52130463190cebdb9f503 
  • e20be442700425853749522939aa9919c97b3dc875f9eba6a35e037d6a8debd5 
  • df4603548b10211f0aa77d0e9a172438 
  • d12b16ba2063d8613a17d2e44d99f7995b9e8adbd2ecc9088db4a864915ed3f5 
  • c867881c56698f938b4e8edafe76a09b 
  • a78bf3d16349eba86719539ee8ef562d 
  • 9c3bf506dd19c08c0ed3af9c1708a770 
  • 84cafbb8a9665935e6eba2ab6ccc2739c9fa5b71 
  • 6078955c613b4aa6f2b52631038613d0d81c6ccb2ceb370d7968d260257a8294 
  • 5f96a3ba22fefd2ab99e3cc2df68fc6992d58e1f 
  • 5c175ea3664279d6c0c2609844de6949 
  • 5198aadb418f437e1329ceab9cad54257aefbcee 
  • 4a8b8a164e20748e23fbded8b048bacb9c3d715c 
  • 25ea0fa8e8c7fe6577851e537f240730ee1e4540 
  • 0ba435460fb7622344eec28063274b8a 
  • 0951109dd1be0d84a33d52c135ba9c97 

Winnti 

  • f5623e4753f4742d388276eaee72dea6 
  • e7435a8ccc959774f092be7e480735eb005a72af 
  • d182239d408da23306ea6b0f5f129ef401565a4d7ab4fe33506f8ac0a08d37ba 
  • d1100b60d45fac34867b8b0330798a7bcbc05ec10394bd95f5876e0eab154c8f 
  • cbe9107185c8e42140dbd1294d8c20849134dd122cc64348f1bfcc90401379ec 
  • aa3a6610c795e5741b27e614161f930b1bdab0852f3600d813f4acb3eaa40cf4 
  • a42249e86867526c09d78c79ae26191d 
  • 99ffc0099277bef59a37a4cfcf4cdd71df13ad33d1c7bf943dc87f803e75dd2c 
  • 98ac3b56b372b5fc4f4c9cf4b72b31aa5ffaf79e 
  • 951fe6ce076aab5ca94da020a14a8e1c 
  • 909c015d5602513a770508fa0b87bc6f 
  • 7ce7b914bd434f8a45db1cb3ec783237a5485b7abcee4df06275ea274e095295 
  • 7671585e770cf0c856b79855e6bdca2a 
  • 5ea33d0655cb5797183746c6a46df2e9 
  • 5dc4764bcb15f50769d98aef8b63c7565c38b6d0 
  • 5c9887c51a0f633e3d2af54f788da525 
  • 57f7ffaa0333245f74e4ab68d708e14e 
  • 4d79e1a1027e7713180102014fcfb3bf 
  • 4afedf6fbf4ba95bbecc865d45479eaf 
  • 4305c04df40d3ac7966289cc0a81cedbdd4eee2f92324b26fe26f57f57265bca 
  • 31eebd590a227389318364061f9b0f0fcaa6fcc1a566dde61fd044bac56aa355 
  • 2c80808b38140f857dc8b2b106764dd8 
  • 17bbebd7d8982d580cc3dea35d988ae2bfd62d708b69662419c41682274e0a14 
  • 15e4e936b2f47eb3fa2455b7c22b2714bebe9f8c01b24bbf7cb5f9559999d292 
  • 1425a4a89b938d5641ed438333708d1728cfed8c124451180d011f6bbb409976 
  • 133d3e070e30c94a591450b0930daf9f751debc0f4384fac6ace63f60a383818 

Fast Reverse Proxy 

The file hashes listed below represent indications of activity by Fast Reverse Proxy. REMEMBER – Fast Reverse Proxy is a legitimate tool, so these hashes by themselves DO NOT represent indications of compromise. Event logs will need to be cross-referenced to see what is being done with Fast Reverse Proxy before it can be elevated to an indicator of compromise.  

  • f6d3e44709edd3189ba713d071bf1d17 
  • 166d91a732b0da53764ee2473650c65b5b74c9c05c9d43b05fcff62237208b3a 
  • 0d44129c207346b3cea3dd12dff857b3266ce82fde966633898214af7d527f7fef6b503e67bfa9aee6668e2cdcf1306ceda80ccc4908f38f745bd9534d004356 
  • 12c18eb0184d1e71607452c26b5d100d06798ec8 

 

TTPs TO MONITOR

1. Initial Access (TA0001)

This vulnerability appears to require some level of user interaction. Observed instances typically involved drive-by compromise to trick users into installing the malware in their environment.  

  • Drive-by Compromise (T1189): The attacker exploits a vulnerability when the victim unknowingly visits a malicious website that delivers an exploit. 

2. Persistence (TA0003)

When the attackers goal is to exploit the environment for crypto mining, botnet activity or espionage, long-term persistence is a necessity. Attackers are likely to employ any or all of the techniques listed below to avoid detection and maintain a presence.  

  • Create Account (T1136): Creating a new user account to ensure continued access to the system even after initial access points are closed. 
  • Scheduled Task/Job (T1053): Scheduling malicious tasks to run periodically, ensuring the code is re-executed even after a system reboot. 
  • Boot or Logon Autostart Execution (T1547): Modifying system startup scripts or services so that malicious code runs whenever the system starts. 

 

 

ADDITIONAL SERVICE OFFERINGS

  • Fusion MXDR  is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
  • Security Information and Event Management (SIEM) - Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Avertium aligns your Cybersecurity Strategy with your business strategy, ensuring that your investment in security is also an investment in your business. Our Cybersecurity Strategy service includes:  
    • Strategic Security Assessments - Strengthening your security posture begins with knowing where your current program stands (NIST CSF, Security Architecture, Business Impact Analysis, Sensitive Data Inventory, Network Virtualization and Cloud Assessment). 
    • Threat Mapping – Leverage Avertium’s Cyber Threat Intelligence, getting a more informed view of your most likely attack scenarios (Threat Assessment and MITRE ATT&CK). 
    • Cyber Maturity Roadmap - Embrace a comprehensive, quantifiable, and well-organized approach to establishing and continuously enhancing your cybersecurity resilience (Policy + Procedure Development, Virtual CISO (VCISO), Training + Enablement, Tabletop Exercises, and Business Continuity + Disaster Recovery Plan).




 

SUPPORTING DOCUMENTATION

Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 

National Vulnerability Database 

GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware 

OSGEO Available updates 

 
Chat With One of Our Experts



APT41 Flash Notice Fortinet Vulnerability FortiGuard Blog