GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets
What’s new: Cybersecurity researchers have identified multiple campaigns exploiting known vulnerabilities, particularly CVE-2024-36401, a critical remote code execution flaw in OSGeo GeoServer GeoTools. Attackers are using compromised Redis servers for various malicious activities, including IoT botnets and cryptocurrency mining. The PolarEdge botnet has been observed leveraging enterprise-grade firewalls and consumer devices, while a new Mirai variant, dubbed “gayfemboy,” is targeting various system architectures across multiple countries. Additionally, a cryptojacking campaign by TA-NATALSTATUS is exploiting exposed Redis servers to deploy cryptocurrency miners.
Who’s affected
Organizations with publicly exposed GeoServer instances and Redis servers are at risk. Over 7,100 GeoServer instances are exposed globally, with significant numbers in China, the U.S., Germany, Great Britain, and Singapore. The PolarEdge botnet has infected approximately 40,000 devices, primarily in South Korea, the U.S., Hong Kong, Sweden, and Canada. The gayfemboy campaign targets various sectors, including manufacturing and technology, across countries such as Brazil, Mexico, and Germany.
What to do
- Patch and secure GeoServer and Redis instances to mitigate CVE-2024-36401 and other known vulnerabilities.
- Implement network segmentation and monitoring to detect unusual traffic patterns indicative of botnet activity.
- Regularly audit and update firewall rules to restrict access to critical services.
- Employ threat intelligence to stay informed about emerging malware and attack vectors.
