Full Report
Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command
Analysis Summary
# Tool/Technique: Mirai Botnet (LZRD variant)
## Overview
Mirai is a notorious malware primarily used to compromise Internet of Things (IoT) devices, leveraging known vulnerabilities to build large botnets primarily for launching massive Distributed Denial-of-Service (DDoS) attacks. The article specifically mentions the deployment of an ARM version of Mirai, dubbed "LZRD," against exploited IoT devices.
## Technical Details
- Type: Malware family
- Platform: Primarily Linux-based IoT/RTOS devices (ARM architecture variants mentioned).
- Capabilities: Scanning for vulnerable devices, exploitation, command execution, downloading and executing secondary payloads (like the LZRD variant), participation in DDoS attacks.
- First Seen: Early April 2025 for the specific exploitation campaign observed by Akamai SIRT.
## MITRE ATT&CK Mapping
Mirai's primary focus is establishing a foothold and performing network denial of service.
- **TA0007 - Discovery**
- T1595 - Active Scanning
- T1595.002 - Internet Scan
- **TA0008 - Lateral Movement** (Implied, if scanning other devices)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0016 - Collection** (Gathering device details for exploitation)
- **TA0018 - Impact**
- T1498 - Network Denial of Service
- T1498.004 - Application Layer Denial of Service (Primary goal of the resulting botnet)
## Functionality
### Core Capabilities
- Exploiting known vulnerabilities (CVE-2024-6047, CVE-2024-11120, CVE-2018-10561, etc.) in EoL IoT devices to gain initial access.
- Downloading and executing the ARM version specifically named LZRD.
- Enlisting compromised devices into a large-scale botnet.
### Advanced Features
- Persistence mechanisms typical of Mirai variants, allowing continuous operation and participation in coordinated attacks like DDoS.
- Targeting outdated or unpatched firmware on hardware from various manufacturers.
## Indicators of Compromise
*Note: Specific IOCs (Hashes, C2s) were not provided in the context, only the vulnerabilities used for initial access.*
- File Hashes: [Not specified in the context]
- File Names: LZRD (Name associated with the deployed ARM variant payload)
- Registry Keys: [Not applicable/specified for embedded IoT malware]
- Network Indicators: [C2 servers/domains were not explicitly listed, only the exploitation vectors]
- Behavioral Indicators: Attempts to download executable files from external sources onto IoT devices, high outbound network traffic characteristic of DDoS participation.
## Associated Threat Actors
- Threat actors exploiting GeoVision and Samsung MagicINFO vulnerabilities.
- Overlap suggested with previously recorded activity under the name **InfectedSlurs**.
## Detection Methods
- **Signature-based detection:** Signatures for known Mirai binary hashes (including the LZRD variant, if cataloged).
- **Behavioral detection:** Monitoring network activity for large-scale scanning attempts originating from IoT devices, or outbound traffic characteristic of DDoS floods.
- **YARA rules:** Rules targeting hardcoded strings or structural elements specific to the LZRD variant, if available.
## Mitigation Strategies
- **Prevention measures:** Immediately upgrade or replace end-of-life (EoL) IoT devices, such as GeoVision products, that are no longer receiving security patches.
- **Hardening recommendations:** Network segmentation to isolate vulnerable IoT devices from critical infrastructure; patching devices promptly when updates are available (e.g., updating Samsung MagicINFO to versions released after August 2024).
## Related Tools/Techniques
- **CVE-2024-6047 & CVE-2024-11120:** Vulnerabilities in GeoVision IoT devices used for initial access.
- **CVE-2024-7399:** Path traversal vulnerability in Samsung MagicINFO used for arbitrary file writing and RCE leading to botnet deployment.
- **InfectedSlurs:** Previously recorded campaign showing potential overlap with the current activity.
***
# Tool/Technique: Samsung MagicINFO Vulnerability (CVE-2024-7399 Exploitation)
## Overview
This refers to the active exploitation of a path traversal vulnerability in Samsung MagicINFO 9 Server to facilitate the deployment of the Mirai botnet. Successful exploitation allows an unauthenticated attacker to write arbitrary files, which can lead to Remote Code Execution (RCE) via the deployment of malicious JavaServer Pages (JSP) files.
## Technical Details
- Type: Vulnerability exploitation sequence
- Platform: Samsung MagicINFO 9 Server
- Capabilities: Unauthenticated arbitrary file writing, leading to RCE via specially crafted JSP files capable of downloading and executing shell scripts (Mirai payload).
- First Seen: Weaponization observed after the release of a Proof-of-Concept (PoC) on April 30, 2025.
## MITRE ATT&CK Mapping
This sequence focuses heavily on initial access and execution on the server platform.
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- T1190.003 - Exploit via Web Application (Path Traversal leading to file upload/write)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.005 - Visual Basic
- **TA0004 - Privilege Escalation** (Implied by writing files as system authority)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (If the downloaded script is obfuscated)
## Functionality
### Core Capabilities
- Exploiting path traversal to write arbitrary files as system authority.
- Writing specially crafted `.jsp` files.
### Advanced Features
- Achieves RCE without authentication.
- The downloaded shell script subsequently retrieves and executes the Mirai botnet components.
## Indicators of Compromise
- Vulnerability Identifier: CVE-2024-7399 (CVSS 8.8)
- Exploitation Vector: Targeting the `/DateSetting.cgi` endpoint (Implicitly based on general IoT attack trends, but specifically noted for GeoVision; file writing mechanism in MagicINFO centers on unauthenticated path traversal).
- Network Indicators: [C2 servers/domains were not explicitly listed]
- Behavioral Indicators: File creation of JSP files by unauthenticated processes, execution of shell scripts designed to fetch remote content.
## Associated Threat Actors
- Threat actors leveraging publicly disclosed vulnerabilities/PoCs.
## Detection Methods
- **Signature-based detection:** Signatures identifying attempts to exploit CVE-2024-7399 (e.g., looking for specific path traversal sequences in HTTP requests against MagicINFO endpoints).
- **Behavioral detection:** Detection of unauthenticated processes writing JSP files to web directories or executing subsequent shell scripts.
- **YARA rules:** [Not specified in the context]
## Mitigation Strategies
- **Prevention measures:** Update Samsung MagicINFO instances to versions patched by Samsung in **August 2024**.
- **Hardening recommendations:** Restricting external access to administrative interfaces/endpoints of management software like MagicINFO.
## Related Tools/Techniques
- Mirai (LZRD variant)
- Exploitation of GeoVision IoT devices (CVE-2024-6047/CVE-2024-11120)