Ethical Hacking News
Hackers Corral GeoVision IoT Devices into Mirai Botnet via Exploited Samsung MagicINFO Flaw
In an alarming turn of events, hackers have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices and Samsung MagicINFO servers to deploy a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The activity was first detected by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involving two operating system command injection flaws (CVE-2024-6047 and CVE-2024-11120) that could be used to execute arbitrary system commands.
The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, injecting commands into the szSrvIpAddr parameter. The attack highlights the ongoing threat landscape of IoT devices and the need for users to prioritize securing these devices against potential threats. In this article, we will explore the details of the campaign and provide recommendations on how to secure affected systems.
Hackers are exploiting security flaws in GeoVision EoL IoT devices to join them into a Mirai botnet for DDoS attacks. The exploit targets two operating system command injection flaws (CVE-2024-6047 and CVE-2024-11120) that can execute arbitrary system commands. A separate campaign involves exploiting a Samsung MagicINFO flaw (CVE-2024-7399) to deliver the Mirai botnet. The Mirai botnet is known for conducting DDoS attacks on high-profile targets such as hospitals and banks. Users are advised to upgrade to newer models or keep systems and firmware up-to-date with the latest patches and security updates.
Hackers have recently been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The activity, first detected by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command injection flaws (CVE-2024-6047 and CVE-2024-11120, CVSS scores: 9.8) that could be used to execute arbitrary system commands.
The exploit targets the /DateSetting.cgi endpoint in GeoVision IoT devices, and injects commands into the szSrvIpAddr parameter. According to Akamai researcher Kyle Lefton, "One of the most effective ways for cybercriminals to start assembling a botnet is to target poorly secured and outdated firmware on older devices." The affected GeoVision devices are unlikely to receive new patches due to being end-of-life products.
Samsung MagicINFO Flaw Exploited in Mirai Attacks
A separate campaign, detected by Arctic Wolf, involves the exploitation of CVE-2024-7399 (CVSS score: 8.8), a path traversal flaw in Samsung MagicINFO 9 Server that could enable an attacker to write arbitrary files as system authority, to deliver the Mirai botnet. While the issue was addressed by Samsung in August 2024, it has since been weaponized by attackers following the release of a proof-of-concept (PoC) on April 30, 2025.
The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files. Users are recommended to update their instances to version 21.1050 and later to mitigate potential operational impact.
Mirai Botnet
The Mirai botnet is a notorious malware network known for conducting DDoS attacks on high-profile targets such as hospitals, banks, and other critical infrastructure organizations. The attack vectors used in the Mirai botnet typically involve compromised IoT devices that have been infected with malware designed to communicate back to the attackers.
LZRD
Some of the vulnerabilities exploited by the botnet include a Hadoop YARN vulnerability, CVE-2018-10561, and a bug impacting DigiEver that was highlighted in December 2024. The attack vectors also involve exploiting other IoT devices such as GeoVision IoT, Samsung MagicINFO, and others.
InfectedSlurs Campaign
There is some evidence to suggest that the campaign overlaps with previously recorded activity under the name InfectedSlurs. This raises concerns about the sophistication of the attackers, who appear to be actively coordinating their efforts across multiple campaigns.
Campaigns such as this highlight the ongoing threat landscape of IoT devices and the importance of keeping these devices up-to-date with the latest patches and firmware. Given that some hardware manufacturers do not issue patches for retired devices (in some cases, the manufacturer itself may be defunct), there is a need for greater vigilance in securing these devices.
Recommendations
For users affected by this campaign, it is recommended to upgrade to a newer model of GeoVision IoT devices or Samsung MagicINFO to mitigate potential threats. Users are also advised to keep their systems and firmware up-to-date with the latest patches and security updates.
In conclusion, hackers have successfully exploited vulnerabilities in GeoVision IoT devices and Samsung MagicINFO servers to deploy a Mirai botnet. The attack highlights the ongoing threat landscape of IoT devices and the need for users to prioritize securing these devices against potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Corral-GeoVision-IoT-Devices-into-Mirai-Botnet-via-Exploited-Samsung-MagicINFO-Flaw-ehn.shtml
https://thehackernews.com/2025/05/hackers-exploit-samsung-magicinfo.html
https://nvd.nist.gov/vuln/detail/CVE-2024-6047
https://www.cvedetails.com/cve/CVE-2024-6047/
https://nvd.nist.gov/vuln/detail/CVE-2024-11120
https://www.cvedetails.com/cve/CVE-2024-11120/
https://nvd.nist.gov/vuln/detail/CVE-2024-7399
https://www.cvedetails.com/cve/CVE-2024-7399/
https://nvd.nist.gov/vuln/detail/CVE-2018-10561
https://www.cvedetails.com/cve/CVE-2018-10561/
Published: Tue May 6 10:55:42 2025 by llama3.2 3B Q4_K_M
