Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401

    Tuesday, September 10, 2024 In: Threat Research Print

    Date: 09/10/2024

    Severity: Medium

    Summary

    Certainly! The vulnerability CVE-2024-36401 affects GeoServer, a popular open-source server for sharing geospatial data. Threat actors have been exploiting this flaw to compromise systems running GeoServer. The vulnerability allows attackers to execute arbitrary code or access sensitive data by sending specially crafted requests to the server. It’s crucial for organizations using GeoServer to apply the latest security patches and updates to mitigate this risk.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://95.85.93.196:80/h4

    bots.gxz.me

    http://209.146.124.181:8030/bot.arm7

    http://209.146.124.181:8030/bot.arm6

    http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/config.json

    http://209.146.124.181:8030/Linux2.6

    http://181.214.58.14:61231/remote.sh

    http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/test.sh

    http://209.146.124.181:8030/bot.ppc

    http://209.146.124.181:8030/taskhost.exe

    http://209.146.124.181:8030/bot.m68k

    http://209.146.124.181:8030/bot.x86_64

    http://188.214.27.50:4782/sky

    http://112.133.194.254/config.sh

    http://1.download765.online/d

    http://209.146.124.181:8030/Linux2.4

    http://209.146.124.181:8030/bot.sh4

    http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/linuxsys

    http://112.133.194.254/check.sh

    http://209.146.124.181:8030/bot.x86

    http://209.146.124.181:8030/bot.arm

    pool.supportxmr.com

    http://209.146.124.181:8030/bot.arm5

    http://209.146.124.181:8030/bot.mips

    http://209.146.124.181:8030/bot.mpsl

    http://209.146.124.181:8030/JrLinux

    http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/sshd

    http://ec2-54-191-168-81.us-west-2.compute.amazonaws.com/css/linuxsys

    http://112.133.194.254/cron.sh

    secure.systemupdatecdn.de

    pool.supportxmr.com

    Wallet

    49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+50000

    41qqpRxT7ocGsbZPeU9JcbfRiHLy3j8DWhdKzv8Yr2VS1QPcFLmfHVJFWEBDfWaB3N6HxuVuAb73nES36bN2rhevGnZ12nA

    IP Address

    188.214.27.50

    181.214.58.14

    209.146.124.181

    95.85.93.196

    Hash

    3369ddc627282eb38346e1a56118026dd3ccdb29b18ffff88ecf3663296ee6da

3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab

7355cc094f2e43e4dd7b8b698b559abe6d2d74cc48f5cfa464424314c6e41944

a13a979f4ca57450528bb6cd7aa2bf47d2eea211053eb1a14b8c4a44fd661831

1abd8cbd64d1d9c8d56b7ea6273ed62e1471f300fabc67dbc2416a48e2faf33d

b67ab1b9b66fdc2c4ed1689698a54a347c2bdd6eaff87039ae337675243670d8

c3101b0b74d76a95ba91b6cc4945657e928d2dac8fdf926ffbf09031d46e9186

b3a015b6650ec9800fa878ff9a5f732013806c8dcb0e7069515dae0dd380fda4

3c73ebc7a85accc65c9ee5bf151f70b990e5a12f27a843ca21c0f9d9a10fd17d

e8b0f5a952f07c83c4d67809ac0715c7164d518323d8038542e84aab8456db43

d9e8b390f8e2e8a6c2308c723a6a812f59c055ecad4e9098a120e5c4c65d3905

c81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819

20d97f144bf7b1662a13ac537715126b9b2f68eff46a4a09234743ae236f0177

994b924b00fb56e12a6a987c4cdf65dd05a221c47b5fc0a7a2babf1f05c2ed38

fabbb4611fb9df5d8f208d9353be0b73c3942fe78903da096cbfe2f47c9e3566

bf56711bbe0b1dac3b1481d36e7ae2f312da5f404c554c2c45a01fe591b8464d

f7b97677b6387c1f02d429e98868bf6973a8dec14dfee2516a27e885d6b1c780

8d3440301bc94ed83cdafb69e4b0166d3a0020eb4f38e9fa159c2f13f14b2d29

a9e7b5284182d3881c865895ee6e0fb03273eec3dcbf4bfc82dd2b069245beae

79c9532fb6ef2742e207498bfe2b2ee09aa9773376ac0e56085083aab17b98be

f3d3572ef96c9c59e137425ca6804e1b86b7f8b57210a3724d567017460774de

7d052cffcf97b303d11c5d35fa9bc860155601cdea21e38447401571b35d2db1

7194ec436231c2a383ffc7c75eef4f5b5a952c18fa176ffd0830667835a80533

c226744b40e8f5d2cf95b4fb2537ff00e222ecc2d24c5096ecfadb14b4a47f97

addccd0ecb643251af2e79e878b19a8e9c8f1c87302e732ef057cdba821f4b30

5cc7e35254347f705422800bfb7fe29c6002e2537f6bac0ff996a720dfb5f48e

1af8e068aa7377f0055640af581a412aa9d7288c912a93dd0d739657af0079fb

53994a35a57970dea48e97009f65ad045b69a83234b771b106446211376a6866

b60d7fb66caf103a04e81fb89dbb05111b4b0ef513f3769c8e0a8106ab01a075

d9dfe98b5fba09e17dbe29dfeb8deb7d777d4a3b0d670914691ed360b916116a

b80e9466b7bb42959c29546b8c052e67fcaa0f591857617457d5d28348bd8860

83fb74bb852bbd722e6ebc4e249e49cb4bb4194493a26d62d4bfcdfca2998412

275302d03a4378f1b852e6d783d3181c2899ae0e9ebad4c7160221320863c425

653a4ad0b00e59a01142f899b6aac9712cfb25063b5b9b2e7e3171f7f3a897ed

3dce929b1c091abac3342788624f1ffa4be5d603eec4d7ab39b604694ac05d22

50b7e615b8cdc45486b6ed1c1c081c7a92c262edb84318fa864531dcab753f82

96cf27a66b629d2b19708c6887441a8422b40dc0e9e7c5c0f2212efe0b6b3323

8fad39ec0671d9b401712ddbc1f24942b2ee2f4865b6ffcd2f019036e03cbade

9bf642a7e14f0a0b0a784f00a0d1cf590ac60ae5ae378d29d435519f4d9dbf2b

1588bee7db42495ba7e6e34d217e6b82c5ab93f27c1eea68435cbb9e7792f9be

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "http://95.85.93.196:80/h4" or url like "http://95.85.93.196:80/h4" or userdomainname like "bots.gxz.me" or url like "bots.gxz.me" or userdomainname like "http://209.146.124.181:8030/bot.arm7" or url like "http://209.146.124.181:8030/bot.arm7" or userdomainname like "http://209.146.124.181:8030/bot.arm6" or url like "http://209.146.124.181:8030/bot.arm6" or userdomainname like "http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/config.json" or url like "http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/config.json" or userdomainname like "http://209.146.124.181:8030/Linux2.6" or url like "http://209.146.124.181:8030/Linux2.6" or userdomainname like "http://181.214.58.14:61231/remote.sh" or url like "http://181.214.58.14:61231/remote.sh" or userdomainname like "http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/test.sh" or url like "http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/test.sh" or userdomainname like "http://209.146.124.181:8030/bot.ppc" or url like "http://209.146.124.181:8030/bot.ppc" or userdomainname like "http://209.146.124.181:8030/taskhost.exe" or url like "http://209.146.124.181:8030/taskhost.exe" or userdomainname like "http://209.146.124.181:8030/bot.m68k" or url like "http://209.146.124.181:8030/bot.m68k" or userdomainname like "http://209.146.124.181:8030/bot.x86_64" or url like "http://209.146.124.181:8030/bot.x86_64" or userdomainname like "http://188.214.27.50:4782/sky" or url like "http://188.214.27.50:4782/sky" or userdomainname like "http://112.133.194.254/config.sh" or url like "http://112.133.194.254/config.sh" or userdomainname like "http://1.download765.online/d" or url like "http://1.download765.online/d" or userdomainname like "http://209.146.124.181:8030/Linux2.4" or url like "http://209.146.124.181:8030/Linux2.4" or userdomainname like "http://209.146.124.181:8030/bot.sh4" or url like "http://209.146.124.181:8030/bot.sh4" or userdomainname like "http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/linuxsys" or url like "http://ec2-13-250-11-113.ap-southeast-1.compute.amazonaws.com/css/linuxsys" or userdomainname like "http://112.133.194.254/check.sh" or url like "http://112.133.194.254/check.sh" or userdomainname like "http://209.146.124.181:8030/bot.x86" or url like "http://209.146.124.181:8030/bot.x86" or userdomainname like "http://209.146.124.181:8030/bot.arm" or url like "http://209.146.124.181:8030/bot.arm" or userdomainname like "pool.supportxmr.com" or url like "pool.supportxmr.com" or userdomainname like "http://209.146.124.181:8030/bot.arm5" or url like "http://209.146.124.181:8030/bot.arm5" or userdomainname like "http://209.146.124.181:8030/bot.mips" or url like "http://209.146.124.181:8030/bot.mips" or userdomainname like "http://209.146.124.181:8030/bot.mpsl" or url like "http://209.146.124.181:8030/bot.mpsl" or userdomainname like "http://209.146.124.181:8030/JrLinux" or url like "http://209.146.124.181:8030/JrLinux" or userdomainname like "http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/sshd" or url like "http://oss.17ww.vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/sshd" or userdomainname like "http://ec2-54-191-168-81.us-west-2.compute.amazonaws.com/css/linuxsys" or url like "http://ec2-54-191-168-81.us-west-2.compute.amazonaws.com/css/linuxsys" or userdomainname like "http://112.133.194.254/cron.sh" or url like "http://112.133.194.254/cron.sh" or userdomainname like "secure.systemupdatecdn.de" or url like "secure.systemupdatecdn.de" or userdomainname like "pool.supportxmr.com" or url like "pool.supportxmr.com"

    Wallet

    Userdomainname like "49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+50000" or url like "49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+50000" or userdomainname like "41qqpRxT7ocGsbZPeU9JcbfRiHLy3j8DWhdKzv8Yr2VS1QPcFLmfHVJFWEBDfWaB3N6HxuVuAb73nES36bN2rhevGnZ12nA" or url like "41qqpRxT7ocGsbZPeU9JcbfRiHLy3j8DWhdKzv8Yr2VS1QPcFLmfHVJFWEBDfWaB3N6HxuVuAb73nES36bN2rhevGnZ12nA"

    IP Address

    dstipaddress IN ("188.214.27.50","181.214.58.14","209.146.124.181","95.85.93.196") or ipaddress IN ("181.214.58.14","209.146.124.181","95.85.93.196") or publicipaddress IN ("181.214.58.14","209.146.124.181","95.85.93.196") or srcipaddress IN ("181.214.58.14","209.146.124.181","95.85.93.196")

    Hash

    sha256hash IN ("3369ddc627282eb38346e1a56118026dd3ccdb29b18ffff88ecf3663296ee6da","3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab","7355cc094f2e43e4dd7b8b698b559abe6d2d74cc48f5cfa464424314c6e41944","a13a979f4ca57450528bb6cd7aa2bf47d2eea211053eb1a14b8c4a44fd661831","1abd8cbd64d1d9c8d56b7ea6273ed62e1471f300fabc67dbc2416a48e2faf33d","b67ab1b9b66fdc2c4ed1689698a54a347c2bdd6eaff87039ae337675243670d8","c3101b0b74d76a95ba91b6cc4945657e928d2dac8fdf926ffbf09031d46e9186","b3a015b6650ec9800fa878ff9a5f732013806c8dcb0e7069515dae0dd380fda4","3c73ebc7a85accc65c9ee5bf151f70b990e5a12f27a843ca21c0f9d9a10fd17d","e8b0f5a952f07c83c4d67809ac0715c7164d518323d8038542e84aab8456db43","d9e8b390f8e2e8a6c2308c723a6a812f59c055ecad4e9098a120e5c4c65d3905","c81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819","20d97f144bf7b1662a13ac537715126b9b2f68eff46a4a09234743ae236f0177","994b924b00fb56e12a6a987c4cdf65dd05a221c47b5fc0a7a2babf1f05c2ed38","fabbb4611fb9df5d8f208d9353be0b73c3942fe78903da096cbfe2f47c9e3566","bf56711bbe0b1dac3b1481d36e7ae2f312da5f404c554c2c45a01fe591b8464d","f7b97677b6387c1f02d429e98868bf6973a8dec14dfee2516a27e885d6b1c780","8d3440301bc94ed83cdafb69e4b0166d3a0020eb4f38e9fa159c2f13f14b2d29","a9e7b5284182d3881c865895ee6e0fb03273eec3dcbf4bfc82dd2b069245beae","79c9532fb6ef2742e207498bfe2b2ee09aa9773376ac0e56085083aab17b98be","f3d3572ef96c9c59e137425ca6804e1b86b7f8b57210a3724d567017460774de","7d052cffcf97b303d11c5d35fa9bc860155601cdea21e38447401571b35d2db1","7194ec436231c2a383ffc7c75eef4f5b5a952c18fa176ffd0830667835a80533","c226744b40e8f5d2cf95b4fb2537ff00e222ecc2d24c5096ecfadb14b4a47f97","addccd0ecb643251af2e79e878b19a8e9c8f1c87302e732ef057cdba821f4b30","5cc7e35254347f705422800bfb7fe29c6002e2537f6bac0ff996a720dfb5f48e","1af8e068aa7377f0055640af581a412aa9d7288c912a93dd0d739657af0079fb","53994a35a57970dea48e97009f65ad045b69a83234b771b106446211376a6866","b60d7fb66caf103a04e81fb89dbb05111b4b0ef513f3769c8e0a8106ab01a075","d9dfe98b5fba09e17dbe29dfeb8deb7d777d4a3b0d670914691ed360b916116a","b80e9466b7bb42959c29546b8c052e67fcaa0f591857617457d5d28348bd8860","83fb74bb852bbd722e6ebc4e249e49cb4bb4194493a26d62d4bfcdfca2998412","275302d03a4378f1b852e6d783d3181c2899ae0e9ebad4c7160221320863c425","653a4ad0b00e59a01142f899b6aac9712cfb25063b5b9b2e7e3171f7f3a897ed","3dce929b1c091abac3342788624f1ffa4be5d603eec4d7ab39b604694ac05d22","50b7e615b8cdc45486b6ed1c1c081c7a92c262edb84318fa864531dcab753f82","96cf27a66b629d2b19708c6887441a8422b40dc0e9e7c5c0f2212efe0b6b3323","8fad39ec0671d9b401712ddbc1f24942b2ee2f4865b6ffcd2f019036e03cbade","9bf642a7e14f0a0b0a784f00a0d1cf590ac60ae5ae378d29d435519f4d9dbf2b","1588bee7db42495ba7e6e34d217e6b82c5ab93f27c1eea68435cbb9e7792f9be")

    Reference: 

    https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401


    Tags

    MalwareExploitCVE - 2024

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.