Ashish Khaitan@The Cyber Express
//
The FBI has issued a warning regarding the increasing exploitation of end-of-life (EoL) routers by cybercriminals. These outdated devices, which no longer receive security updates from manufacturers, are being targeted with malware, most notably variants of TheMoon, to establish proxy networks. This allows malicious actors to mask their online activities and conduct illicit operations with anonymity. The FBI emphasizes that routers from 2010 or earlier are particularly vulnerable due to the absence of recent software updates, making them susceptible to known exploits.
The compromised routers are then incorporated into botnets and used as proxies, sold on networks like 5Socks and Anyproxy. This enables cybercriminals to route malicious traffic through these unsuspecting devices, obscuring their real IP addresses and making it difficult to trace their criminal activities. TheMoon malware exploits open ports on vulnerable routers, bypassing the need for passwords, and then connects to a command-and-control (C2) server for instructions. This process allows the malware to spread rapidly, infecting more routers and expanding the proxy network.
To mitigate this growing threat, the FBI advises users to replace EoL routers with actively supported models and apply all available firmware and security updates. Disabling remote administration and using strong, unique passwords are also crucial steps in securing network devices. Additionally, regularly rebooting routers can help flush out temporary malware behavior. The FBI's warning underscores the importance of maintaining up-to-date security measures on network hardware to prevent exploitation by cybercriminals seeking to anonymize their activities.
Recommended read:
References :
- Daily CyberSecurity: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
- The DefendOps Diaries: Exploitation of End-of-Life Routers: A Growing Cybersecurity Threat
- BleepingComputer: FBI: End-of-life routers hacked for cybercrime proxy networks
- Davey Winder: FBI Warns Of Router Attacks — Is Yours On The List Of 13?
- www.scworld.com: Attacks surge against antiquated routers, FBI warns
- bsky.app: The FBI IC3 has published a new PSA warning companies and home consumers that threat actors are exploiting old and outdated end-of-life routers to create massive botnets and that they should probably buy a new device
- BleepingComputer: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
- cyberinsider.com: FBI Warns Hackers Are Exploiting EoL Routers in Stealthy Malware Attacks
- www.bleepingcomputer.com: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxies sold on the 5Socks and Anyproxy networks.
- bsky.app: The FBI warns that threat actors are deploying malware on end-of-life (EoL) routers to convert them into proxiesÂ
sold on the 5Socks and Anyproxy networks.
- thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware. The warning also stresses the dramatic uptick in cyberattacks targeting aging internet routers, especially those deemed “End of Life†(EOL).
- thecyberexpress.com: TheMoon Malware Targets Aging Routers, FBI Issues Alert
- The Hacker News: BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation
- securityonline.info: FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
- securityaffairs.com: The FBI warns that attackers are using end-of-life routers to deploy malware and turn them into proxies sold on 5Socks and Anyproxy networks.
- www.techradar.com: FBI warns outdated routers are being hacked
- thecyberexpress.com: The Federal Bureau of Investigation (FBI) has issued a warning about the TheMoon malware.
- BleepingComputer: Police dismantles botnet selling hacked routers as residential proxies
- thecyberexpress.com: Law Enforcement Takes Down Botnet Made Up of Thousands of End-Of-Life Routers
- techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
- infosec.exchange: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
- techcrunch.com: NEW: FBI and Dutch police seized and shut down a botnet made of hacked routers. U.S. authorities also indicted three Russians and a Kazakhstan national for hacking the devices, running the botnet, and selling access to it as a service.
- www.justice.gov: A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets.
- www.csoonline.com: The FBI is warning that cybercriminals are exploiting that are no longer being patched by manufacturers. Specifically, the “5Socks†and “Anyproxy†criminal networks are using publicly available exploits and injecting persistent malware to gain entry to obsolete routers from Linksys, and Cradlepoint.
- The Register - Security: The FBI also issued a list of end-of-life routers you need to replace Earlier this week, the FBI urged folks to bin aging routers vulnerable to hijacking, citing ongoing attacks linked to TheMoon malware. In a related move, the US Department of Justice unsealed indictments against four foreign nationals accused of running a long-running proxy-for-hire network that exploited outdated routers to funnel criminal traffic.…
- iHLS: FBI Warns: Old Routers Exploited in Cybercrime Proxy Networks
- Peter Murray: FBI and Dutch police seize and shut down botnet of hacked routers
- The DefendOps Diaries: Explore the dismantling of the Anyproxy botnet and the global efforts to secure digital infrastructure against cybercrime.
- securityaffairs.com: Operation Moonlander dismantled the botnet behind Anyproxy and 5socks cybercriminals services
- Anonymous ???????? :af:: BREAKING: $46M cybercrime empire busted. FBI & Dutch forces take down a botnet run on hacked home routers—active since 2004.
- www.itpro.com: FBI takes down botnet exploiting aging routers
- Threats | CyberScoop: US seizes Anyproxy, 5socks botnets and indicts alleged administrators
@cyberalerts.io
//
Cybersecurity researchers have confirmed that the Samsung MagicINFO 9 Server is under active exploitation, with hackers leveraging a remote code execution (RCE) vulnerability, CVE-2024-7399, to deploy the Mirai botnet. This vulnerability, a path traversal flaw, allows attackers to write arbitrary files as system authority, ultimately leading to remote code execution. The unauthenticated nature of the flaw exacerbates the risk, allowing threat actors to exploit systems without requiring any user credentials. The attacks target the file upload functionality in the MagicINFO 9 Server, intended for updating display content, but is being abused to upload malicious code and execute a shell script responsible for downloading the botnet.
The exploitation of CVE-2024-7399 began shortly after a proof-of-concept (PoC) exploit was made public. Arctic Wolf researchers have observed this exploitation in the wild, noting that the vulnerability allows for arbitrary file writing by unauthenticated users. This improper sanitation of filename input, without validating the file extension or checking for authentication, allows threat actors to upload JSP files and execute arbitrary code with system authority on vulnerable servers. While Samsung released a patch for this vulnerability in August 2024, many systems remain unpatched, leaving them vulnerable to these attacks.
The exploitation of the Samsung MagicINFO flaw is not an isolated incident; threat actors are also targeting GeoVision end-of-life (EoL) Internet of Things (IoT) devices to incorporate them into the Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. Given the low barrier to exploitation, the availability of a public PoC, and the potential for widespread impact, organizations are strongly advised to update their Samsung MagicINFO Server instances to version 21.1050 and later, and implement the patch for CVE-2024-7399 immediately to mitigate potential operational impact.
Recommended read:
References :
- Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
- arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
- cyberinsider.com: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
- thehackernews.com: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
- www.bleepingcomputer.com: Samsung MagicINFO 9 Server RCE flaw now exploited in attacks
- arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
- securityaffairs.com: Samsung MagicINFO flaw exploited days after PoC exploit publication
- The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
- www.helpnetsecurity.com: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
- BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware.
- CyberInsider: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
- Help Net Security: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
- Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
- bsky.app: A Mirai botnet is exploiting a 2024 bug in MagicINFO, a Samsung digital signage system
- BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. [...]
- The DefendOps Diaries: Understanding and Mitigating the CVE-2024-7399 Vulnerability in Samsung MagicINFO 9 Server
- The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
- www.techradar.com: Top Samsung software hit by attackers to spread malware and hijack devices
Kirsten Doyle@informationsecuritybuzz.com
//
Millions of RSA encryption keys are vulnerable to attack due to a significant security flaw. New research indicates that roughly 1 in 172 online certificates are susceptible to compromise via a mathematical attack. This vulnerability primarily affects Internet of Things (IoT) devices, but it can pose a risk to any system utilizing improperly generated RSA keys. The root cause lies in poor random number generation during the key creation process.
The flaw occurs because keys sometimes share prime factors with other keys. If two keys share a prime factor, both can be broken by computing the Greatest Common Divisor (GCD). According to researchers, with modest resources, hundreds of millions of RSA keys used to protect real-world internet traffic can be obtained. Using a single cloud-hosted virtual machine and a well-studied algorithm, over one in 200 certificates can be compromised within days.
Recommended read:
References :
- Information Security Buzz: Massive RSA Encryption Flaw Exposes Millions of IoT Devices to Attack
- Davey Winder: Millions Of Internet Encryption Keys At Risk Despite 2019 Warning
- www.itpro.com: Millions of RSA encryption keys could be vulnerable to attack
@borncity.com
//
A series of security vulnerabilities has been uncovered in the widely used ESP32 microchip, a product of Chinese company Espressif Systems. This chip, found in over a billion devices as of 2023, is commonly utilized for Wi-Fi and Bluetooth connectivity in numerous IoT devices. Researchers at Tarlogic Security have detected undocumented commands within the ESP32's Bluetooth firmware, potentially creating a backdoor that could be exploited for cyberattacks. These hidden manufacturer-specific commands, identified as opcode 0x3F, enable low-level control over Bluetooth functions.
These vulnerabilities pose significant risks, potentially allowing malicious actors to impersonate known devices, even in offline mode. This could lead to the infection of sensitive devices like cell phones, computers, smart locks, and medical equipment, bypassing existing code audit controls. By exploiting these undocumented commands, attackers could gain unauthorized access to confidential information stored on these devices, enabling the spying on personal and business conversations. The potential for remote code execution via wireless interfaces makes this a high-severity issue.
Recommended read:
References :
- gbhackers.com: Espressif Systems Flaws Allow Hackers to Execute Arbitrary Code
- www.cysecurity.news: Undocumented ESP32 Commands Pose Security Risks, Researchers Warn
- borncity.com: Tarlogic Security detects unknown commands in ESP32 chip (BlueTooth, WiFi)
- DAY[0]: Discussion on the ESP32 "backdoor" drama
MSSP Alert@MSSP feed for Latest
//
Multiple Mirai-based botnets have been actively exploiting a zero-day vulnerability, tracked as CVE-2025-1316, in Edimax IP cameras for nearly a year. The attacks targeting these vulnerable cameras began around May of last year, with intrusions observed by security researchers. While initial exploitation occurred in May, there was a pause before a resurgence in activity in September and again from January to February.
The attackers are leveraging default credentials on the Edimax devices to deploy the Mirai malware. A proof-of-concept exploit has been available since June 2023, suggesting possible earlier attack attempts. Edimax disclosed that a patch for the zero-day is not possible, because the affected IP cameras have reached end-of-life over 10 years ago and the source code and development environment are no longer available. Therefore, organizations are urged to ensure they are using up-to-date software and firmware on their devices to prevent botnet compromise.
Recommended read:
References :
- bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months. The earliest evidence of exploitation was traced back to October of last year, although public proof-of-concept had been available for over a year before that
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months. The earliest evidence of exploitation was traced back to October of last year, although public proof-of-concept had been available for over a year before that
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, CVE-2025-1316, affecting Edimax Internet of Things (IoT) devices is being exploited to spread Mirai malware. According to reports, multiple botnets are actively targeting Edimax IP cameras, exploiting the flaw to compromise devices and incorporate them into their networks. The attacks involve leveraging default credentials to facilitate the deployment of Mirai, known for orchestrating distributed denial-of-service (DDoS) attacks.
Initial exploitation attempts were observed as early as May 2024, with increased activity in September and again from January to February 2025. Although a proof-of-concept exploit has been available since June 2023, the intrusions highlight the ongoing risk posed by unpatched vulnerabilities in IoT devices. Edimax has stated that the affected IP cameras are end-of-life for over 10 years and they are unable to provide patches. Organizations are urged to update software and firmware.
Recommended read:
References :
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- cyble.com: One of the most concerning vulnerabilities in the new CISA catalog is , which affects the Edimax IC-7100 IP Camera. This vulnerability, identified on March 4, 2025, is an OS Command Injection Vulnerability that allows attackers to execute arbitrary commands on the device remotely.
- chemical-facility-security-news.blogspot.com: CISA Adds Edimax Vulnerability to KEV Catalog
- securityaffairs.com: U.S. CISA adds Edimax IC-7100 IP Camera, NAKIVO,Â
and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog
Matan Mittelman@Cato Networks
//
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.
This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns.
Recommended read:
References :
- bsky.app: New Ballista botnet found -Author seems to be from Italy -Targets TP-Link Archer routers -Used for DDoS accounts -Unique code, not based on Mirai or Mozi
- Secure Bulletin: The Ballista Botnet: a new IoT threat with italian roots
- securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
- Cato Networks: Cato CTRL™ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
- The Hacker News: Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
- CyberInsider: TP-Link Archer Routers Under Attack by New IoT Botnet ‘Ballista’
- Blog: New Ballista botnet targets vulnerabilities in popular TP-Link routers
- www.cybersecuritydive.com: Emerging botnet exploits TP-Link router flaw posing risk to US organizations
- www.cybersecurity-insiders.com: Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers. The CVE-2023-1389 flaw is an unauthenticated command injection […]
- community.emergingthreats.net: The Ballista Botnet: a new IoT threat with italian roots
- www.techradar.com: This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
- securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
- Schneier on Security: TP-Link Router Botnet
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.
Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets.
Recommended read:
References :
- securityaffairs.com: US CISA warns that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.
- www.bleepingcomputer.com: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
- securityonline.info: CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
- The DefendOps Diaries: Understanding and Mitigating the Edimax IP Camera Vulnerability
- www.techradar.com: Edimax IC-7100 camera was found vulnerable to a command injection flaw currently being used in remote code execution attacks.
- www.scworld.com: Edimax IP camera zero-day
- gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
- MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
- www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
- bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months.
|
|