What’s new: Cybersecurity researchers have identified multiple campaigns exploiting known vulnerabilities, particularly CVE-2024-36401, a critical remote code execution flaw in OSGeo GeoServer GeoTools. Attackers are using this vulnerability to deploy SDKs that monetize victims’ bandwidth through residential proxies. Additionally, a large-scale IoT botnet named PolarEdge has emerged, utilizing compromised devices for covert operations. Another campaign, involving the Mirai variant known as gayfemboy, targets various system architectures and sectors, while a cryptojacking group, TA-NATALSTATUS, is exploiting exposed Redis servers for cryptocurrency mining.
Who’s affected
Over 7,100 publicly exposed GeoServer instances across 99 countries, particularly in China, the United States, Germany, Great Britain, and Singapore. The PolarEdge botnet has infected around 40,000 devices, primarily in South Korea, the United States, Hong Kong, Sweden, and Canada. The gayfemboy campaign affects various sectors including manufacturing and technology, while TA-NATALSTATUS targets exposed Redis servers globally.
What to do
- Patch GeoServer instances to mitigate CVE-2024-36401 and ensure they are not publicly exposed.
- Monitor network traffic for unusual activity indicative of botnet behavior or unauthorized access.
- Implement security measures for Redis servers, including authentication and firewall rules to restrict access.
- Regularly update and secure IoT devices to prevent exploitation by botnets like PolarEdge and gayfemboy.
