CoinMiner Attacks Exploiting GeoServer Vulnerability

SUMMARY :

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerability to execute PowerShell commands, installing NetCat for remote access and XMRig for cryptocurrency mining. The attack process involves downloading malicious scripts, terminating competing miners, and establishing persistence through Cron jobs. The threat actors use pool.supportxmr.com for mining Monero coins and can potentially perform additional malicious activities using the installed NetCat.

OPENCTI LABELS :

powershell,remote code execution,xmrig,mirai,monero,coinminer,bash,netcat,condi,geoserver,cve-2024-36401,goreverse,sidewalk


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


CoinMiner Attacks Exploiting GeoServer Vulnerability