FlagThis - #samsung

Cybersecurity researchers have confirmed that the Samsung MagicINFO 9 Server is under active exploitation, with hackers leveraging a remote code execution (RCE) vulnerability, CVE-2024-7399, to deploy the Mirai botnet. This vulnerability, a path traversal flaw, allows attackers to write arbitrary files as system authority, ultimately leading to remote code execution. The unauthenticated nature of the flaw exacerbates the risk, allowing threat actors to exploit systems without requiring any user credentials. The attacks target the file upload functionality in the MagicINFO 9 Server, intended for updating display content, but is being abused to upload malicious code and execute a shell script responsible for downloading the botnet.

The exploitation of CVE-2024-7399 began shortly after a proof-of-concept (PoC) exploit was made public. Arctic Wolf researchers have observed this exploitation in the wild, noting that the vulnerability allows for arbitrary file writing by unauthenticated users. This improper sanitation of filename input, without validating the file extension or checking for authentication, allows threat actors to upload JSP files and execute arbitrary code with system authority on vulnerable servers. While Samsung released a patch for this vulnerability in August 2024, many systems remain unpatched, leaving them vulnerable to these attacks.

The exploitation of the Samsung MagicINFO flaw is not an isolated incident; threat actors are also targeting GeoVision end-of-life (EoL) Internet of Things (IoT) devices to incorporate them into the Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. Given the low barrier to exploitation, the availability of a public PoC, and the potential for widespread impact, organizations are strongly advised to update their Samsung MagicINFO Server instances to version 21.1050 and later, and implement the patch for CVE-2024-7399 immediately to mitigate potential operational impact.


References :

• Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
• arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
• cyberinsider.com: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
• thehackernews.com: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
• www.bleepingcomputer.com: Samsung MagicINFO 9 Server RCE flaw now exploited in attacks
• arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
• securityaffairs.com: Samsung MagicINFO flaw exploited days after PoC exploit publication
• The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
• www.helpnetsecurity.com: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
• BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware.
• CyberInsider: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
• Help Net Security: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
• Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
• bsky.app: A Mirai botnet is exploiting a 2024 bug in MagicINFO, a Samsung digital signage system
• BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. [...]
• The DefendOps Diaries: Understanding and Mitigating the CVE-2024-7399 Vulnerability in Samsung MagicINFO 9 Server
• The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
• www.techradar.com: Top Samsung software hit by attackers to spread malware and hijack devices

Classification:

• HashTags: #RCE #IoT #MiraiBotnet
• Company: Samsung
• Target: Samsung MagicINFO 9 Servers
• Product: MagicINFO 9 Server
• Feature: Remote Code Execution
• Malware: Mirai
• Type: Vulnerability
• Severity: Critical