100

GeoServer CVE-2024-36401 response: what the attack chain teaches defenders

How does a public GeoServer bug turn into full intrusion? CISA says CVE-2024-36401 was exploited on public-facing GeoServer systems, then the campaign moved through web shells, cron jobs, valid accounts, brute force, PowerShell, BITS jobs, and Stowaway.[1]

🧵 1/5

The sequence mattered: attackers used Burp Scanner to find the flaw, exploited GeoServer 1 and GeoServer 2, then kept persistence with web shells, cron jobs, and valid accounts, including some accounts later deleted.[2][3][4]

🧵 2/5

CISA also says they used brute force to get passwords for lateral movement and privilege escalation, abused service accounts, and ran PowerShell plus bitsadmin getfile to pull payloads before BITS jobs and web shell execution helped hide activity.[5][6][7]

  • Sample output for the bitsadmin /list /verbose command
🧵 3/5

For command and control, the actors used Stowaway through the web server, then a second outbound connection that likely acted as a backup channel. That is why CISA pushes prompt patching, centralized out-of-band logging, incident response practice, and validation of ATT&CK controls.[8][9][10][11]

🧵 4/5

Practical recovery additions: review conditional access, revoke active sessions or tokens, and use MFA, especially for privileged and email accounts. Then test controls in production, patch public-facing systems fast, and keep logs where attackers cannot tamper with them.[12][13][14][15][16]

🧵 5/5