Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

U.S. federal civilian executive branch agency hit by network compromise

Incident
First reported
Last updated
Happening score
H score 43
2 unique sources, 2 articles

Summary

Hide ▲

An unnamed U.S. federal civilian executive branch agency was breached after attackers exploited CVE-2024-36401 in GeoServer, then used the foothold to move laterally to a web server and SQL server. CISA said the activity remained undetected for three weeks and that the agency's weak incident response, logging, and patching slowed containment. The attackers used Burp Suite for scanning, China Chopper web shells, brute force password attacks, and Stowaway for C2 traffic.

Cases

GeoServer exploitation, federal breach, and monetization activity (4)

Related Happenings

Shadow-Aether-040 AI-augmented campaign against Mexican government entities

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **Shadow-Aether-040** campaign used **AI agents** and custom tooling to compromise **six government entities in Mexico**, increasing the risk of follow-on intrusion and **data...

Open Happening

CISA KEV order for Copy Fail on federal Linux devices

Public Sector Action
First: 08.05.2026 10:45 Last: 08.05.2026 10:45 Sources 1

About this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...

Open Happening

CISA KEV listing and FCEB firewall directive for CVE-2026-0300

Public Sector Action
First: 07.05.2026 13:57 Last: 07.05.2026 13:57 Sources 1

About this happening: **CISA** added **CVE-2026-0300** to the **KEV Catalog** and ordered **FCEB agencies** to secure vulnerable firewalls by **May 9, 2026**. The federal directive makes the exploited...

Open Happening

CISA KEV listing and FCEB patch order for Ivanti EPMM

Public Sector Action
First: 08.04.2026 21:15 Last: 08.04.2026 21:15 Sources 1

About this happening: **CISA** added **CVE-2026-1340** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Ivanti Endpoint Manager Mobile (EPMM)** by **Saturday midnight, April 11**, forcin...

Open Happening

APT28 FrostArmada DNS hijacking and AitM credential theft campaign

Campaign
First: 07.04.2026 18:51 Last: 07.04.2026 18:51 Sources 1

About this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...

Open Happening

Timeline

  2. 23.09.2025 18:07 1 articles · 8mo ago

    CVE-2024-36401 attacks observed

    Exploitation Observed

    Threat monitoring observed CVE-2024-36401 attacks against exposed GeoServer servers starting on July 9, 2024, while OSINT search tracking showed more than 16,000 GeoServer servers exposed online.

    Show sources
    Open in new tab
  3. 23.09.2025 18:07 1 articles · 8mo ago

    EDR flags malware on SQL Server

    Detection Ioc Update

    The unnamed U.S. federal civilian executive branch agency's Endpoint Detection and Response (EDR) tool flagged suspected malware on an SQL Server on July 31, 2024, and the SOC isolated the server and launched an investigation with CISA's assistance.

    Show sources
    Open in new tab
  4. 23.09.2025 18:07 3 articles · 8mo ago

    CISA discloses federal agency breach

    Initial Disclosure

    CISA publicly disclosed that attackers breached the network of an unnamed U.S. federal civilian executive branch agency after compromising an unpatched GeoServer instance tied to CVE-2024-36401, and urged defenders to patch critical vulnerabilities, monitor EDR alerts, and strengthen incident response.

    Show sources
    Open in new tab