CyberSecurity news

FlagThis - #iot

Pierluigi Paganini@Security Affairs //

SinoTrack GPS Devices Prone to Remote Control - CISA is warning of two vulnerabilities in SinoTrack GPS devices, which could allow attackers to remotely control vehicles and track their locations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities discovered in SinoTrack GPS devices. These flaws could allow malicious actors to remotely control vehicles and track their locations. The vulnerabilities affect all known SinoTrack devices and the SinoTrack IOT PC Platform. This alert follows the disclosure of these security weaknesses by independent researcher Raúl Ignacio Cruz Jiménez.

The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences.

Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request.

Recommended read:
References :
  • hackread.com: US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations.
  • securityaffairs.com: Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by attackers, US CISA warns.
  • The Hacker News: Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations.
  • ciso2ciso.com: CISA Warns of Remote Control Flaws in SinoTrack GPS Trackers – Source:hackread.com
  • thecyberexpress.com: US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations
  • www.helpnetsecurity.com: SinoTrack GPS vulnerabilities may allow attackers to track, control vehicles
Pierluigi Paganini@Security Affairs //

PumaBot Botnet Targets Linux IoT Devices for Crypto Mining - PumaBot, a new botnet targeting Linux-based IoT devices, uses SSH brute-force attacks to steal credentials, spread malware, and mine cryptocurrency.
A new botnet, dubbed PumaBot, is actively targeting Linux-based IoT devices, posing a significant security risk. This Go-based malware is designed to steal SSH credentials through brute-force attacks, allowing it to spread malicious payloads and illicitly mine cryptocurrency. Unlike other botnets that perform broad internet scans, PumaBot employs a more targeted approach by retrieving lists of IP addresses from its command-and-control (C2) server, enabling it to focus its attacks on specific devices. This approach, coupled with its ability to impersonate legitimate system files, makes PumaBot a stealthy and dangerous threat to embedded Linux systems.

The attack begins with PumaBot attempting to brute-force SSH credentials on targeted devices, aiming to gain unauthorized access. Once inside, it establishes persistence using systemd service files, ensuring it survives reboots and remains active on the compromised device. To further mask its activities, PumaBot disguises itself as a legitimate Redis system file, attempting to blend in with normal system processes. After successfully gaining access to an infected system, it collects and exfiltrates basic system information to the C2 server, where it can receive commands to carry out its malicious objectives.

The primary goal of PumaBot appears to be cryptocurrency mining, as evidenced by the presence of "xmrig" and "networkxm" commands within its code. These commands suggest that compromised devices are being leveraged to generate illicit cryptocurrency gains for the botnet operators. Security experts also observed that the botnet performs checks to avoid honeypots and, curiously, looks for the string "Pumatronix," a surveillance and traffic camera manufacturer, hinting at a targeted or exclusionary approach. The discovery highlights the ongoing need for robust security measures for IoT devices, as they continue to be attractive targets for botnet recruitment and malicious activities.

Recommended read:
References :
  • ciso2ciso.com: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto – Source:thehackernews.com
  • Anonymous ???????? :af:: New PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and mine crypto.
  • securityaffairs.com: New PumaBot targets Linux IoT surveillance devices
  • The Hacker News: New PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto
  • BleepingComputer: A newly discovered Go-based Linux botnet malware named PumaBot is brute-forcing SSH credentials on embedded IoT devices to deploy malicious payloads.
  • gbhackers.com: New PumaBot Hijacks IoT Devices via SSH Brute-Force for Persistent Access
  • www.csoonline.com: Novel PumaBot slips into IoT surveillance with stealthy SSH break-ins
  • www.sentinelone.com: PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
  • securityonline.info: PumaBot: New Stealthy Linux Botnet Evades Detection, Targets IoT Devices
  • securityonline.info: PumaBot: New Stealthy Linux Botnet Evades Detection, Targets IoT Devices
Ashish Khaitan@The Cyber Express //

FBI Warns of EoL Routers Hacked for Proxy Networks - Threat actors are exploiting end-of-life routers to deploy malware, converting them into proxies sold on 5Socks and Anyproxy networks, prompting an FBI warning about the security risks of outdated devices.
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.

The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network.

To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities.

Recommended read:
References :
  • Daily CyberSecurity: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
  • The DefendOps Diaries: Exploitation of End-of-Life Routers: A Growing Cybersecurity Threat
  • BleepingComputer: FBI: End-of-life routers hacked for cybercrime proxy networks
  • Davey Winder: FBI Warns Of Router Attacks — Is Yours On The List Of 13?
  • www.scworld.com: Attacks surge against antiquated routers, FBI warns
  • bsky.app: The FBI IC3 has published a new PSA warning companies and home consumers that threat actors are exploiting old and outdated end-of-life routers to create massive botnets and that they should probably buy a new device
  • BleepingComputer: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • cyberinsider.com: FBI Warns Hackers Are Exploiting EoL Routers in Stealthy Malware Attacks
  • www.bleepingcomputer.com: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • bsky.app: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life†(EOL).
  • thecyberexpress.com: TheMoon Malware Targets Aging Routers, FBI Issues Alert
  • The Hacker News: BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation
  • securityonline.info: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
  • securityaffairs.com: The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks.
  • www.techradar.com: FBI warns outdated routers are being hacked
  • thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware.
  • BleepingComputer: Police dismantles botnet selling hacked routers as residential proxies
  • thecyberexpress.com: Law Enforcement Takes Down Botnet Made Up of Thousands of End-Of-Life Routers
  • techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • infosec.exchange: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
  • www.justice.gov: A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.
  • www.csoonline.com: The FBI is warning that cybercriminals are exploiting that are no longer being patched by manufacturers. Specifically, the “5Socks†and “Anyproxy†criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, and Cradlepoint.
  • The Register - Security: The FBI also issued a list of end-of-life routers you need to replace Earlier this week, the FBI urged folks to bin aging routers vulnerable to hijacking, citing ongoing attacks linked to TheMoon malware. In a related move, the US Department of Justice unsealed indictments against four foreign nationals accused of running a long-running proxy-for-hire network that exploited outdated routers to funnel criminal traffic.…
  • iHLS: FBI Warns: Old Routers Exploited in Cybercrime Proxy Networks
  • Peter Murray: FBI and Dutch police seize and shut down botnet of hacked routers
  • The DefendOps Diaries: Explore the dismantling of the Anyproxy botnet and the global efforts to secure digital infrastructure against cybercrime.
  • securityaffairs.com: Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services
  • Anonymous ???????? :af:: BREAKING: $46M cybercrime empire busted. FBI & Dutch forces take down a botnet run on hacked home routers—active since 2004.
  • www.itpro.com: FBI takes down botnet exploiting aging routers
  • Threats | CyberScoop: US seizes Anyproxy, 5socks botnets and indicts alleged administrators
@cyberalerts.io //

Samsung MagicINFO Exploited To Deploy Mirai Botnet - Samsung’s MagicINFO 9 Server is under active exploitation due to an unauthenticated remote code execution (RCE) vulnerability (CVE-2024-7399) that allows hackers to deploy malware, including the Mirai botnet.
Cybersecurity researchers have confirmed that the Samsung MagicINFO 9 Server is under active exploitation, with hackers leveraging a remote code execution (RCE) vulnerability, CVE-2024-7399, to deploy the Mirai botnet. This vulnerability, a path traversal flaw, allows attackers to write arbitrary files as system authority, ultimately leading to remote code execution. The unauthenticated nature of the flaw exacerbates the risk, allowing threat actors to exploit systems without requiring any user credentials. The attacks target the file upload functionality in the MagicINFO 9 Server, intended for updating display content, but is being abused to upload malicious code and execute a shell script responsible for downloading the botnet.

The exploitation of CVE-2024-7399 began shortly after a proof-of-concept (PoC) exploit was made public. Arctic Wolf researchers have observed this exploitation in the wild, noting that the vulnerability allows for arbitrary file writing by unauthenticated users. This improper sanitation of filename input, without validating the file extension or checking for authentication, allows threat actors to upload JSP files and execute arbitrary code with system authority on vulnerable servers. While Samsung released a patch for this vulnerability in August 2024, many systems remain unpatched, leaving them vulnerable to these attacks.

The exploitation of the Samsung MagicINFO flaw is not an isolated incident; threat actors are also targeting GeoVision end-of-life (EoL) Internet of Things (IoT) devices to incorporate them into the Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. Given the low barrier to exploitation, the availability of a public PoC, and the potential for widespread impact, organizations are strongly advised to update their Samsung MagicINFO Server instances to version 21.1050 and later, and implement the patch for CVE-2024-7399 immediately to mitigate potential operational impact.

Recommended read:
References :
  • Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • cyberinsider.com: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
  • thehackernews.com: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
  • www.bleepingcomputer.com: Samsung MagicINFO 9 Server RCE flaw now exploited in attacks
  • arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • securityaffairs.com: Samsung MagicINFO flaw exploited days after PoC exploit publication
  • The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
  • www.helpnetsecurity.com: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
  • BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware.
  • CyberInsider: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
  • Help Net Security: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
  • Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • bsky.app: A Mirai botnet is exploiting a 2024 bug in MagicINFO, a Samsung digital signage system
  • BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. [...]
  • The DefendOps Diaries: Understanding and Mitigating the CVE-2024-7399 Vulnerability in Samsung MagicINFO 9 Server
  • The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
  • www.techradar.com: Top Samsung software hit by attackers to spread malware and hijack devices

Posts

Blogs

Research Tools