U.S. tech firms, Indian IT service providers, Brazilian and Thai telecommunications firms, and Belgian government organizations have been compromised with several malicious payloads as part of separate attack campaigns exploiting the critical GeoServer GeoTools remote code execution flaw, tracked as CVE-2024-36401, which has been added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog in July, according to The Hacker News.
Intrusions leveraging the vulnerability have facilitated the distribution of not only the GOREVERSE reverse proxy server but also the Condi malware, the Mirai botnet variant Jenx, and four other cryptocurrency mining payloads, as well as the advanced SideWalk Linux backdoor linked to Chinese state-backed threat group APT41, a report from Fortinet FortiGuard Labs showed. Attackers' primary targeting of South America, Europe, and Asia "suggests a sophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or targeting specific industries prevalent in these areas," said researchers.
