SANS Stormcast Tuesday, May 6th: Mirai Exploiting Samsung magicInfo 9; Kali Signing Key Lost;
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 696 Ratings
🗓️ 6 May 2025
⏱️ 7 minutes
🧾️ Download transcript
Summary
Mirai Now Exploits Samsung MagicINFO CMS CVE-2024-7399
The Mirai botnet added a new vulnerability to its arsenal. This vulnerability, a file upload and remote code execution vulnerability in Samsung s MagicInfo 9 CMS, was patched last August but attracted new attention last week after being mostly ignored so far.
https://isc.sans.edu/diary/Mirai+Now+Exploits+Samsung+MagicINFO+CMS+CVE20247399/31920
New Kali Linux Signing Key
The Kali Linux maintainers lost access to the secret key used to sign packages. Users must install a new key that will be used going forward.
https://www.kali.org/blog/new-kali-archive-signing-key/
The Risk of Default Configuration: How Out-of-the-Box Helm Charts Can Breach Your Cluster
Many out-of-the-box Helm charts for Kubernetes applications deploy vulnerable configurations with exposed ports and no authentication
https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/the-risk-of-default-configuration-how-out-of-the-box-helm-charts-can-breach-your/4409560
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Tuesday, May 6, 2025 edition of the Sands and the Storm Center's Stormcast. |
| 0:07.9 | My name is Johannes Ulrich, and today I'm recording from San Diego, California. |
| 0:13.3 | In diaries today, well, I saw some initial attacks against Samsung's Magic Info CMS. |
| 0:21.3 | This is somewhat defunct, not quite really sort of maintained piece of software anymore, |
| 0:28.4 | but last August Samsung did release a patch for it, |
| 0:34.2 | fixing an arbitrary file upload vulnerability that then can lead to remote code execution. |
| 0:42.5 | This particular vulnerability was not really noticed much, part probably because of the very sort |
| 0:49.2 | of short, sort of one-liner that Samsung published about it. Last week, cybersecurity info did cite some |
| 0:57.9 | research report. Sadly, I didn't see a link to the actual research report or any more |
| 1:04.4 | attribution to it, but this particular article about the research report did quote it, noting particular URL that's being used to upload these files, and then also some additional details about the vulnerability. |
| 1:21.6 | Well, a couple days later, we started seeing some actual exploit attempts. |
| 1:26.6 | These exploit attempts appear to be coming from, |
| 1:30.0 | well, what's sort of often described, still as Mirai, basically a botnet that does |
| 1:37.4 | exploit various vulnerabilities. Often, of course, IOT-style vulnerabilities. This would definitely not necessarily sort of call an IoT-style vulnerability. |
| 1:48.1 | It is more a server component used to basically manage content. |
| 1:53.3 | That's what CMS content management servers are doing. |
| 1:57.8 | Not even sure how successful these exploit are, |
| 2:00.8 | but they sort of follow very much the standard pattern |
| 2:03.2 | where the initial upload uses a number of different ways, |
| 2:06.6 | like TFTP, W-Get, curl, FDP and such, |
| 2:11.1 | to download the second stage. |
| 2:13.0 | The second stage is then the typical shell script |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2025.