CISA Shares Lessons Learned from an Incident Response Engagement

    Wednesday, September 24, 2025 In: Threat Research Print

    Date: 09/24/2025

    Severity: Critical 

    Summary

    During its incident response efforts, determined that cyber threat actors infiltrated the agency’s network on July 11, 2024, by exploiting a critical vulnerability—CVE-2024-36401 [CWE-95: “Eval Injection”]—in a public-facing GeoServer instance (referred to as GeoServer 1). This vulnerability, publicly disclosed on June 30, 2024, enables unauthenticated remote code execution (RCE) on vulnerable GeoServer versions. The attackers leveraged this flaw to deploy open-source tools and scripts, establishing persistent access within the network. Following the compromise of GeoServer 1, the threat actors separately exploited the same vulnerability to gain initial access to a second instance, GeoServer 2, on July 24, 2024. They also moved laterally from GeoServer 1 to other systems, including a web server and a Structured Query Language (SQL) server. On each compromised host, they uploaded or attempted to upload web shells—such as China Chopper—and various scripts intended for remote access, maintaining persistence, executing commands, and escalating privileges. Additionally, the attackers employed "living off the land" (LOTL) techniques to blend in with legitimate system activity.

    Indicators of Compromise (IOC) List  

    IP Address : 

    45.32.22.62

    45.17.43.250

    Hash : 

    0777EA1D01DAD6DC261A6B602205E2C8

    feda15d3509b210cb05eacc22485a78c

    C9F4C41C195B25675BFA860EB9B45945

    B7B3647E06F23B9E83D0B1CCE3E71642

    64e3a3458b3286caaac821c343d4b208

    20b70dac937377b6d0699a44721acd80

    de778443619f37e2224898a9a800fa78

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    dstipaddress IN ("45.32.22.62","45.17.43.250") or srcipaddress IN ("45.32.22.62","45.17.43.250")

    Detection Query 2 :

    md5hash IN ("64e3a3458b3286caaac821c343d4b208","0777EA1D01DAD6DC261A6B602205E2C8","feda15d3509b210cb05eacc22485a78c","C9F4C41C195B25675BFA860EB9B45945","B7B3647E06F23B9E83D0B1CCE3E71642"," 20b70dac937377b6d0699a44721acd80","de778443619f37e2224898a9a800fa78")

    Reference:    

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a


    Tags

    China Chopperliving off the land (LOTL)CISAVulnerabilityCVE - 2024CWE-95: Eval InjectionGeoServerExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.