TZUTC: -0500   
   MSGID: 1530.consprcy@1:2320/105 2d3a804d   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   US federal agency breached by hackers using GeoServer exploit, CISA says   
      
   Date:   
   Wed, 24 Sep 2025 14:28:00 +0000   
      
   Description:   
   A timely patching could have prevented the attack, while proper monitoring   
   could have mitigated the threat.   
      
   FULL STORY   
      
   In mid-July 2024, a threat actor managed to break into a US Federal Civilian   
   Executive Branch (FCEB) agency by exploiting a critical remote code execution   
   (RCE) vulnerability in GeoServer, the government has confirmed.    
      
   In an in-depth report detailing the incident, the US Cybersecurity and   
   Infrastructure Security Agency (CISA) outlined how the attackers leveraged   
   CVE-2024-36401, a 9.8/10 vulnerability that granted RCE capabilities through   
   specially crafted input against a default GeoServer installation.    
      
   GeoServer is an open source server platform that enables users to share,    
   edit, and publish geospatial data using open standards.   
      
   Lessons learned    
      
   The vulnerability was disclosed on June 30, and added to CISAs Known    
   Exploited Vulnerabilities (KEV) catalog by July 15, but by that time, it was   
   already too late since the miscreants established persistence on compromised   
   endpoints.    
      
   The damage could have been reduced with timely patching, though, as a second   
   GeoServer instance was breached on July 24.    
      
   Once inside, the attackers conducted extensive reconnaissance using tools    
   like Burp Suite, fscan, and linux-exploit-suggester2.pl.    
      
   They moved laterally across the network, compromising a web server and an SQL   
   server , and deploying web shells on each system.    
      
   Among them was China Chopper, a lightweight web shell used for remote access   
   and control over compromised servers. Once installed, it allows attackers to   
   execute commands, upload files, and pivot within networks.    
      
   CISA did not attribute this attack to any known threat actor, but from   
   previously reported incidents it is known that China Chopper is widely used    
   by advanced persistent threat (APT) groups, particularly those linked to   
   Chinese state-sponsored operations such as APT41.    
      
   The goal of CISAs report was to share lessons learned from the incident, and   
   apparently those lessons are: patch your systems on time, make sure to have    
   an incident response plan (and test/exercise it!), and continuously review   
   alerts.    
      
    Via BleepingComputer   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/us-federal-agency-breached-by-hackers-u   
   sing-geoserver-exploit-cisa-says   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470   
   SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426