Particle.news
Download on the App Store
3 ARTICLES
·
4h ago

CISA Details 2024 Federal Agency Breach Exploited via GeoServer RCE

CISA's lessons-learned advisory urges faster KEV patching with continuous EDR monitoring after agency remediation failures.

Image

Overview

  • Threat actors gained access on July 11, 2024 by exploiting CVE-2024-36401 on a public-facing GeoServer, then breached a second GeoServer by July 24.
  • They moved from the GeoServers to a web server and then an SQL server, deploying China Chopper–style web shells, LOTL tools, and brute-force techniques while abusing service accounts.
  • The intrusion persisted for three weeks until an EDR alert on July 31 flagged suspected malware on the SQL server, prompting isolation and a CISA-assisted investigation.
  • The vendor had patched the RCE in June and CISA added it to the KEV catalog in mid‑July, as Shadowserver saw exploitation beginning July 9 and ZoomEye tracked thousands of exposed GeoServers.
  • CISA cites delayed patching, incomplete EDR coverage and missed alerts plus weak incident response planning, with experts urging automated KEV enforcement; the advisory does not name the agency.