GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

What’s new: Multiple cybercrime campaigns are exploiting known vulnerabilities, particularly CVE-2024-36401, a critical remote code execution flaw in OSGeo GeoServer GeoTools, which has been weaponized since late 2024. Attackers are using compromised GeoServer instances to deploy executables that monetize victims’ bandwidth through stealthy methods. Additionally, a new IoT botnet named PolarEdge is leveraging vulnerabilities in enterprise-grade and consumer devices, while a Mirai variant called gayfemboy is targeting various systems for DDoS attacks and backdoor access. A cryptojacking campaign by TA-NATALSTATUS is also targeting exposed Redis servers to mine cryptocurrency.

Who’s affected

Over 7,100 publicly exposed GeoServer instances across 99 countries, including the U.S., China, and Germany, are at risk. The PolarEdge botnet has infected approximately 40,000 devices, primarily in South Korea, the U.S., and Hong Kong. The gayfemboy campaign targets a wide range of sectors globally, including manufacturing and technology. Redis servers that are unauthenticated and exposed on port 6379 are also vulnerable to cryptojacking.

What to do

• Patch and secure GeoServer instances against CVE-2024-36401 and other known vulnerabilities.
• Implement network segmentation and monitoring to detect unusual traffic patterns indicative of botnet activity.
• Secure Redis servers by disabling remote access and ensuring proper authentication mechanisms are in place.
• Regularly update and audit IoT devices to mitigate risks from botnets like PolarEdge and gayfemboy.

Sources

• The Hacker News