CISA Shares Lessons Learned from an Incident Response Engagement

**Executive Summary:** CISA responded to a multi-week compromise of an FCEB agency where cyber threat actors exploited GeoServer CVE-2024-36401 to achieve RCE on public-facing servers, used web shells and living-off-the-land techniques for persistence and discovery, deployed Stowaway as a proxy-based C2 channel, attempted privilege escalation (dirtycow), and conducted lateral movement to internal web and SQL servers; the advisory includes MITRE ATT&CK mappings, IOCs, a timeline, and prioritized mitigations such as immediate KEV patching, IRP testing, centralized logging, phishing-resistant MFA, and application allowlisting.