Chinese Hackers Exploit GeoServer Vulnerability to Deploy EAGLEDOOR in APAC Cyberattacks

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1.nbsp;Chinese Hackers Exploit Vulnerability to Deploy EAGLEDOOR in APAC Cyberattacks

A suspected China-based advanced persistent threat (APT) targeted a government organization in Taiwan and potentially other Asia-Pacific (APAC) countries. The attackers exploited a critical vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8), which was recently patched. Using spear-phishing emails, the attackers initiated a multi-stage infection chain that delivered Cobalt Strike and a new backdoor called EAGLEDOOR, designed for information gathering and payload deployment. Lure documents written in Simplified Chinese suggest China may have also been targeted, though it’s unclear which sectors were affected.

Researchers observed the use of advanced techniques like GrimResource and AppDomainManager injection, which deployed next-stage malware through decoy files. A similar activity cluster was reported by another cybersecurity researcher, linking the campaign to APT41. This cluster targeted Taiwan, the Philippine military, and Vietnamese energy organizations using identical spear-phishing and GeoServer exploitation techniques. The attackers’ Cobalt Strike command-and-control (C2) domains mimicked cloud service providers like AWS and Azure. EAGLEDOOR communicates with the C2 server via DNS, HTTP, TCP, and Telegram, with core operations managed through the Telegram Bot API.

To mitigate such attacks, organizations should patch critical vulnerabilities, implement multi-layered security, strengthen email security, segment networks, monitor for indicators of compromise (IoCs), and enforce least privilege access to limit potential damage from compromised accounts.

2. CVE-2024-8963: Critical Flaw in Ivanti Cloud Service Appliance Actively Exploited

Ivanti has disclosed a critical security flaw (CVE-2024-8963) in its Cloud Service Appliance (CSA), which is currently being actively exploited by threat actors. This vulnerability, with a CVSSv3 score of 9.4, allows remote attackers to access restricted functionality. When combined with another vulnerability (CVE-2024-8190, CVSS score 7.2), attackers can bypass admin authentication and execute arbitrary commands on vulnerable devices.

Ivanti confirmed that although CVE-2024-8963 was “incidentally addressed” in CSA 4.6 Patch 519 and CSA 5.0, attackers are leveraging both flaws to gain code execution. The affected products include all versions of CSA 4.6 before Patch 519. Organizations are strongly advised to upgrade to CSA 5.0 immediately. For those still using CSA 4.6, upgrading to Patch 519 is recommended as a temporary measure, though it should be noted that CSA 4.6 is end-of-life and no longer supported.

To mitigate this risk, organizations should upgrade to CSA 5.0 without delay to ensure full protection against these vulnerabilities.

3. CVE-2024-9014: Critical OAuth2 Vulnerability in pgAdmin Puts User Data at Risk

A critical vulnerability (CVE-2024-9014) has been identified in pgAdmin’s OAuth2 authentication system, potentially allowing attackers to gain unauthorized access to sensitive data. With a CVSSv3 score of 9.9, this flaw affects pgAdmin versions 8.11 and earlier. Users are strongly urged to update to the latest version to mitigate the risk.

pgAdmin is a popular open-source tool for managing PostgreSQL databases, offering a user-friendly interface for database management and operations. The vulnerability impacts the OAuth2 authentication mechanism, designed for secure system access without exposing sensitive credentials. Exploiting this flaw could enable attackers to access client IDs and secrets, putting user data and overall system security at risk.

The affected products include pgAdmin versions 8.11 and earlier. Users are advised to upgrade immediately to pgAdmin 4 version 8.12 to prevent potential exploitation. Additionally, implementing proactive monitoring and maintaining an effective patch management strategy are recommended to further enhance system security.

4. Python Packages Poisoned with PondRAT Malware Target Software Developers

North Korean-affiliated threat actors have been detected distributing a new malware variant named PondRAT through malicious Python packages on the PyPI repository, according to research by cybersecurity experts. PondRAT, a streamlined version of POOLRAT (also known as SIMPLESEA), is linked to the Lazarus Group, notorious for its involvement in last year’s 3CX supply chain attack. The ongoing campaign suggests evolving tactics in malware distribution targeting both Linux and macOS systems.

In this latest campaign, threat actors uploaded several malicious Python packages to PyPI, including “real-ids” (893 downloads), “coloredtxt” (381 downloads), “beautifultext” (736 downloads), and “minisound” (416 downloads). These packages, once downloaded, executed an encoded second-stage payload to deploy the PondRAT malware. The activity has been attributed, with moderate confidence, to a Lazarus Group subgroup known as Gleaming Pisces. The group is also tracked under names like Citrine Sleet, Labyrinth Chollima, and UNC4736, and has a history of distributing AppleJeus malware.

PondRAT, a lighter variant of POOLRAT, is capable of uploading and downloading files, executing commands, and pausing operations. The attack aims to compromise the supply chain by targeting developer endpoints, which could potentially lead to widespread network infections. Researchers found that the Linux and macOS versions of POOLRAT share almost identical code structures and methods for handling commands from the command-and-control (C2) server.

To mitigate such threats, organizations should enforce supply chain security measures, verify third-party packages before installation, implement robust endpoint protection for developer systems, deploy advanced monitoring systems, audit code and dependencies, and leverage threat intelligence services. For remote workers, thorough candidate verification is crucial to avoid infiltration through fraudulent applications, as seen in the “Famous Chollima” operation, where North Korean threat actors attempted to gain access to organizations by submitting fake resumes.

5. North Korean Cyber-Espionage Group Deploys MISTPEN Malware Targeting Energy, Aerospace Sectors

A North Korean cyber-espionage group has been identified using job-related phishing tactics to target individuals in the energy and aerospace sectors. The attackers deploy a newly discovered backdoor named MISTPEN as part of their campaign, tracked by cybersecurity researchers as UNC2970. This group shares similarities with TEMP.Hermit, widely known as the Lazarus Group or Diamond Sleet. The campaign, known as “Operation Dream Job,” targets senior- and manager-level employees using job-themed phishing tactics to gain access to highly sensitive information.

UNC2970 has focused its attacks on entities in the U.S., U.K., Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. The threat actors pose as recruiters, sending spear-phishing emails and WhatsApp messages to engage victims. Once trust is established, they deliver a malicious ZIP file disguised as a job description, which contains a modified version of Sumatra PDF. This trojanized viewer initiates the infection chain by executing a malicious DLL called TEARPAGE, which then decrypts and executes MISTPEN.

MISTPEN is a modified version of a legitimate Notepad++ plugin (“binhex.dll”), but it includes backdoor capabilities, allowing it to download and execute Portable Executable (PE) files from a command-and-control (C2) server. MISTPEN communicates using Microsoft Graph URLs over HTTP, making it more resistant to detection. Over time, the malware has evolved to include network connectivity checks and has shifted from using compromised WordPress websites as C2 domains to more sophisticated methods.

To defend against such attacks, organizations should enhance phishing awareness training, implement advanced email security solutions, enforce application whitelisting, deploy EDR tools to monitor for anomalous behavior, ensure all software is up-to-date, segment critical systems, and regularly audit for known C2 server communication patterns to block them at the firewall and network level.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories