Chinese Hackers Exploit GeoServer Flaw to Launch Attacks

A cyber espionage group suspected to be operating from China has launched targeted attacks on a Taiwanese government organization and possibly other countries in the Asia-Pacific (APAC) region by exploiting a recently patched security vulnerability in OSGeo GeoServer GeoTools.

The attack, identified by researchers in July 2024, has been attributed to an advanced persistent threat (APT) group known as Earth Baxia. The group primarily targeted government agencies, telecommunications companies, and energy sectors in countries such as Taiwan, South Korea, Vietnam, Thailand, and the Philippines.

The attackers used spear-phishing emails containing decoy documents in combination with a critical vulnerability (CVE-2024-36401) in GeoServer, which scored a 9.8 on the CVSS scale, to deliver Cobalt Strike—a tool commonly used for post-exploitation activities—and a newly discovered backdoor malware named EAGLEDOOR. This malware facilitates information gathering and the deployment of additional payloads.

The multi-stage attack chain utilizes advanced techniques such as GrimResource and AppDomainManager injection to stealthily deliver secondary malware. One of the methods involves embedding a malicious MSC file named RIPCOY within a ZIP attachment, aiming to bypass security defenses and download more malware.

A recent report also detailed another campaign by a related group, which used similar tactics to target military and energy sectors in Taiwan, the Philippines, and Vietnam. The common use of Cobalt Strike command-and-control (C2) domains mimicking well-known cloud services such as Amazon Web Services and Microsoft Azure suggests a possible connection between the two threat groups.

The objective of these attacks is to deploy a modified version of Cobalt Strike, which then activates the EAGLEDOOR backdoor via DLL side-loading. This sophisticated malware is capable of communicating with its command server using multiple protocols, including DNS, HTTP, TCP, and Telegram. While the initial three are used for status updates, the core operations are conducted through the Telegram Bot API, enabling file transfers and additional payload execution. The stolen data is then exfiltrated using curl.exe.

This coordinated campaign reflects the attackers’ ability to adapt and innovate, using both publicly available cloud services to host malicious files and a variety of communication methods to maintain persistence and evade detection.

To mitigate the risk of such sophisticated attacks, organizations should prioritize timely patching of vulnerabilities and conduct regular security assessments. Additionally, employing network segmentation, intrusion detection systems, and regular monitoring of C2 activity can help identify and contain potential breaches.