Infographic illustrating CISA-reported breach timeline: July 11 GeoServer exploit (CVE-2024-36401), persistence via webshells and cron jobs, lateral movement to SQL server, July 31 EDR detection, with icons for tools like dirtycow, Stowaway, and security

CISA's advisory reveals threat actors compromised a U.S. federal agency's network using CVE-2024-36401, a critical GeoServer RCE flaw via eval injection (CWE-95), undetected for three weeks. The breach started July 11, 2024, on a public instance, added to KEV July 15 despite June 30 disclosure; a second hit July 24 used Burp Suite, fscan, and linux-exploit-suggester2.pl for recon.

Infographic illustrating CISA-reported breach timeline: July 11 GeoServer exploit (CVE-2024-36401), persistence via webshells and cron jobs, lateral movement to SQL server, July 31 EDR detection, with icons for tools like dirtycow, Stowaway, and security Infographic illustrating CISA-reported breach timeline: July 11 GeoServer exploit (CVE-2024-36401), persistence via webshells and cron jobs, lateral movement to SQL server, July 31 EDR detection, with icons for tools like dirtycow, Stowaway, and security

Actors persisted with China Chopper webshells, cron jobs, and dirtycow (CVE-2016-5195) escalation, deploying RingQ evasion and Stowaway C2 on ports 4441/50012. They moved laterally to web and SQL servers, uploading shells/scripts, running discovery (whoami, systeminfo), enabling cmdshell, and downloading via PowerShell/bitsadmin—exploiting unprotected web servers.

Infographic illustrating CISA-reported breach timeline: July 11 GeoServer exploit (CVE-2024-36401), persistence via webshells and cron jobs, lateral movement to SQL server, July 31 EDR detection, with icons for tools like dirtycow, Stowaway, and security Infographic illustrating CISA-reported breach timeline: July 11 GeoServer exploit (CVE-2024-36401), persistence via webshells and cron jobs, lateral movement to SQL server, July 31 EDR detection, with icons for tools like dirtycow, Stowaway, and security

EDR detected a suspicious 1.txt file July 31, after ignoring a July 15 Stowaway alert. Lessons: Patch KEV vulns immediately, improve IR for third-party access, and monitor EDR continuously. The incident exposes federal gaps in vuln management and response.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security