CyberBakery Chronicles(09 May 2025)

Your Weekly Cybersecurity Update (09 May 2025)

• Hackers Exploit Vulnerabilities in Samsung MagicINFO and GeoVision IoT to Deploy Mirai Botnet

• Two Battlegrounds: India-Pakistan Conflicts and DDoS Attacks

• Chinese Hackers Target SAP with Dangerous RCE Vulnerability

• NSO Group Penalised $167 Million for Spyware Attacks on 1,400 WhatsApp Users

• TikTok has been fined €530 Million for transferring user data to China.

Hackers Exploit Vulnerabilities in Samsung MagicINFO and GeoVision IoT to Deploy Mirai Botnet

Cybersecurity researchers have identified active exploitation of a vulnerability in Samsung’s MagicINFO 9 Server, a digital signage content management system, being leveraged to deploy the Mirai botnet. This exploitation follows the public release of a proof-of-concept (PoC) by SSD Disclosure on April 30, 2025.

The vulnerability, initially believed to be CVE-2024-7399—a path traversal flaw allowing arbitrary file writes—has been reassessed. Cybersecurity firms Arctic Wolf and Huntress have observed that even the latest version of MagicINFO 9 Server (version 21.1050.0), which was patched in August 2024, remains susceptible. This suggests that the PoC targets a separate, unpatched vulnerability.

Attackers are exploiting this flaw to upload specially crafted JavaServer Pages (JSP) files, enabling remote code execution. Once compromised, the servers are used to download and execute an ARM version of the Mirai malware, known as LZRD, integrating the devices into a botnet.

This campaign is part of a broader trend where threat actors target outdated or poorly secured IoT devices. In addition to Samsung’s MagicINFO, vulnerabilities in GeoVision’s end-of-life IoT devices are also being exploited to expand the botnet.

Organisations utilising the Samsung Magicinfo 9 Server must take immediate action by disabling the service until a comprehensive patch is made available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed two GeoVision vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalogue, mandating that federal agencies implement the necessary fixes by May 28, 2025. If appropriate mitigations are not able to be applied, agencies must discontinue the use of these products without delay.

Borderlines & Bandwidth: How India and Pakistan Fight on Two Fronts

The NSFOCUS article titled “Two Battlegrounds: India-Pakistan Conflicts and DDoS Attacks” highlights the parallel escalation of physical and cyber conflicts between India and Pakistan following a terrorist attack in Pahalgam, Indian-controlled Kashmir, on April 22, 2025, which resulted in 26 fatalities. In the wake of this incident, NSFOCUS’s Global Threat Hunting System observed a significant surge in Distributed Denial of Service (DDoS) attacks exchanged between the two nations, indicating a cyber front to the ongoing hostilities. 

The article outlines a timeline of events:

• April 22: The terrorist attack in Pahalgam occurs. 

• April 23–24: India responds by closing border crossings, expelling Pakistani diplomats, suspending visa issuance to Pakistani citizens, and placing its military on high alert. Pakistan counters by closing its airspace to India, suspending trade, revoking certain visas for Indian citizens, and mobilizing military assets.

• April 25–28: Continuous exchanges of fire take place in Kashmir, with conflicts spreading to areas like the Jhelum Valley and Rampur. 

• May 2–5: Both countries implement blockade measures, leading to a temporary relaxation of tensions.

• May 7: India launches a significant military operation involving missile strikes into Pakistan. In retaliation, the Pakistani Air Force reportedly shoots down five Indian fighter jets, escalating the regional situation further. 

The article emphasises that these developments reflect the deep-rooted tensions stemming from the Kashmir dispute, a legacy of the 1947 partition, and underscores the increasing role of cyber warfare as both nations engage in DDoS attacks alongside traditional military actions. 

Attack Summary

According to the monitoring data of the Global Threat Hunting System of NSFOCUS Fuying Laboratory, DDoS attacks against India and Pakistan have shown a significant, fluctuating upward trend since April 14, 2025.

As of April 26, the scale of cyberattacks has surged dramatically, with attacks in India skyrocketing by over 500% and in Pakistan by more than 700%. This alarming deterioration in cybersecurity mirrors the escalating military standoff between India and Pakistan over Kashmir, where tensions have reached new heights, resulting in both sides exchanging fire and deploying heavy weaponry. During this period, cyberattacks have remained consistently high. Starting May 1, both nations entered a stalemate. However, due to international intervention, the situation has begun to stabilise, and cyber activities reflect this shift. DDoS attacks are now steadily declining.

Cyble, a reputable threat intelligence company, revealed in their blog post that over 40 hacktivist groups launched coordinated cyberattacks against India in response to the April 22 terror attack in Pahalgam, situated in Jammu and Kashmir. This alarming series of attacks prompted India to take decisive action, executing targeted strikes against what they identify as terrorist infrastructure across the border and in the Pakistan-Occupied Kashmir (PoK) region.

Cyble Research & Intelligence Lab’s (CRIL) findings indicate that over the course of two weeks, several fundamentalist, pro-Pakistan, and Southeast Asian hacktivist groups launched a series of Distributed Denial-of-Service DDoS attacks and website defacements in isolation and in coordinated campaigns.

The cyber campaign intensified after India's "Operation Sindoor" on May 7, which involved strikes on alleged terrorist camps in Pakistan. Active groups like Keymous+, AnonSec, Nation of Saviors, and Electronic Army Special Forces targeted key government portals, healthcare infrastructure, and urban civic bodies. Their efforts primarily affected government entities and critical sectors such as education, banking, healthcare, and defence. Research indicates that the hacktivists' claims often reflect narratives aligned with the Pakistani state, demonstrating a blend of digital disruption and physical conflict in their responses.

The hacktivism campaign called #OpIndia used disruption tactics to disrupt Indian public services. Denial-of-Service (DDoS) attacks made up 52.5% of all reported incidents, making them the main method for causing outages and damaging reputations. These attacks often targeted government ministries, healthcare systems, cyber defence agencies, and city services.

Website defacements accounted for 36.1% of the campaign activity. These defacement payloads often featured anti-India statements, references to retaliation, and branding from various threat actor groups. According to Cyble, these operations were utilised to disseminate propaganda, religious slogans, and political messages related to the Kashmir conflict and Operation Sindoor.

Data breach claims represented 8.2% of attacks. Most breach attempts lacked verifiable data exfiltration, indicating that the objective may have been to signal penetration capability and amplify psychological pressure.

The connection between cyberspace and the real world has become more evident since the Russia-Ukraine conflict. DDoS attacks, a primary form of cyber confrontation, often respond rapidly to geopolitical events, in contrast to long-term threats like APT attacks. This was highlighted during the recent tensions between India and Pakistan, where DDoS attacks surged on April 26, 2025, in direct response to escalating political conflicts.

International events, such as the Russia-Ukraine and Israeli-Palestinian conflicts, have advanced DDoS attack technology, lowering operational thresholds and enhancing effectiveness. This trend underscores the need to strengthen DDoS protection systems and establish agile response mechanisms to navigate potential cyber confrontations. Such cybersecurity dynamics are likely to become the norm in international relations..

Chinese Hackers Target SAP with Dangerous RCE Vulnerability

A China-linked hacking group known as Chaya_004 has been actively exploiting a significant vulnerability in SAP NetWeaver, identified as CVE-2025-31324. This particular vulnerability carries a maximum Common Vulnerability Scoring System (CVSS) score of 10.0, indicating an extremely critical security risk. It allows unauthenticated attackers to upload harmful files through the /developmentserver/metadatauploader endpoint.

The successful exploitation of this flaw can lead to remote code execution, enabling attackers to gain complete control over affected systems. The first signs of this vulnerability being exploited in the wild were observed on March 12, 2025. Since then, there has been a marked increase in malicious activity, particularly from April 29, 2025. Threat actors have been deploying a variety of sophisticated tools, including a Golang-based reverse shell dubbed SuperShell. This shell is hosted on infrastructure that has been traced back to Chinese cloud service providers, raising further concerns about the origin and scale of these attacks. In response to this critical issue, SAP took proactive measures by releasing an emergency patch on April 24, 2025. This patch aims to mitigate the risk posed by the vulnerability and protect organisations utilising SAP NetWeaver.  

Additionally, leading security firms such as Onapsis and Mandiant have stepped in to assist by providing detection tools and comprehensive guidelines. These resources are designed to help organisations identify potential breaches and implement defences against this specific threat. Given the seriousness of the situation, organisations using SAP NetWeaver are strongly urged to take immediate action. This includes applying the latest security patches, restricting access to the vulnerable endpoint, and carefully monitoring their systems for any signs of compromise. Taking these precautions is essential to safeguarding against ongoing threats posed by malicious actors exploiting this vulnerability.

NSO Group Penalised $167 Million for Spyware Attacks on 1,400 WhatsApp Users

A U.S. federal jury has made a groundbreaking decision, ordering Israeli spyware vendor NSO Group to pay WhatsApp $167,254,000 in punitive damages and $444,719 in compensatory damages for a 2019 campaign that aggressively targeted 1,400 users of the popular communication app. This verdict is not just significant—it represents a pivotal moment in holding spyware vendors accountable in a court of law, sending a strong message throughout the commercial spyware industry.

Meta, WhatsApp's parent company, stated, "Today's verdict is a vital victory for privacy and security. It marks a significant step forward against the illegal spyware that endangers the safety and privacy of everyone." They emphasised that the jury's decision to require NSO—a notorious foreign spyware merchant—to pay damages serves as a powerful deterrent against the malicious practices harming American companies and citizens.

The hefty fines are a result of a May 2019 attack where NSO sought to infect 1,400 WhatsApp users with its Pegasus spyware by exploiting a zero-day vulnerability. Specifically, NSO leveraged CVE-2019-3568, a buffer overflow in the WhatsApp VOIP stack, which allowed attackers to send specially crafted RTCP packets to target phone numbers, enabling remote code execution. The terrifying reality is that even unanswered calls could trigger this exploit, resulting in the covert installation of Pegasus on devices.

Meta initiated the lawsuit against NSO Group on October 29, 2019, in the U.S. District Court for the Northern District of California, asserting that NSO had exploited WhatsApp’s calling feature to deliver its intrusive spyware. While NSO claims its products are intended for law enforcement to combat serious crime, Meta confirmed that targeted individuals included human rights activists, journalists, and diplomats—vulnerable groups facing significant threats.

Throughout the trial, shocking revelations emerged, including admissions by NSO executives about their direct involvement in infection operations and their considerable investment of tens of millions of dollars in developing various infection channels. Court documents further revealed that NSO continued to exploit at least one additional zero-day vulnerability in WhatsApp software to target users with spyware, even after Meta filed its lawsuit.

On December 23, 2024, Judge Phyllis J. Hamilton ruled that NSO Group is liable for violating U.S. hacking laws and WhatsApp's Terms of Service. This ruling granted partial summary judgment in WhatsApp's favour and set the stage for a jury trial focused on damages. Ultimately, WhatsApp was awarded punitive damages of $167,254,000 and an extra $444,719 to cover costs related to the incident investigation, vulnerability patching, and user notification.

Researcher John Scott-Railton from CitizenLab hailed the court's decision and warned the spyware industry that they could face similar legal repercussions. This landmark case serves as a powerful reminder that illegal surveillance will not go unchallenged, fostering hope for greater accountability and protection of privacy rights in our digital age.

TikTok has been fined €530 million for transferring user data to China.

TikTok has recently been fined €530 million by the European Union for serious violations of data privacy laws, particularly regarding the transfer of European user data to China. This substantial penalty, imposed by Ireland’s Data Protection Commission (DPC), exemplifies the EU’s unwavering commitment to enforcing the General Data Protection Regulation (GDPR). It sends a powerful message about global data governance standards that cannot be ignored.

The DPC’s investigation uncovered that TikTok failed to adequately safeguard European Economic Area (EEA) user data during its transfers to China. The company did not implement the necessary protections to shield this data from potential access by Chinese authorities, as mandated by GDPR’s Article 46(1). Furthermore, TikTok’s lack of transparency in its privacy policies intensifies the concern, leading to a breach of Article 13(1)(f) of the GDPR, which demands clear communication to users about data handling practices.

Initially, TikTok claimed that all EEA user data was stored exclusively in Singapore and the United States, with no access granted from China. However, in a significant turn of events in April 2025, the company admitted that it had been storing some EEA user data on servers in China, contradicting its previous assertions. This admission not only exposes shortcomings in TikTok’s data management practices but also raises serious doubts about the company’s transparency and adherence to stringent EU data protection standards.

This fine sets a clear precedent for how the EU will handle data transfers to countries with legal frameworks that may not satisfy its stringent standards. It underscores the critical need for companies operating in the EU to conduct comprehensive transfer impact assessments and enforce robust safeguards when sharing data with third countries. Non-compliance can lead to hefty penalties and suspension of data transfers, as evidenced by TikTok’s situation.

In response, TikTok has expressed its disagreement with the DPC’s decision and plans to appeal the fine. The company also highlights its commitment to improving data protection through initiatives like “Project Clover,” aimed at localizing EEA user data within Europe and enhancing security measures. However, the DPC has indicated that these efforts may fall short of genuinely addressing the underlying concerns, particularly the risk of data exposure to Chinese authorities.

This case exemplifies the complex challenges multinational companies encounter while navigating divergent data protection laws across jurisdictions. For Australian businesses engaging with the EU, it emphasises the importance of grasping and complying with GDPR requirements, especially in relation to data transfers to countries lacking adequacy decisions. Companies must not only implement appropriate safeguards but also maintain transparency with users regarding their data handling practices.

The €530 million fine against TikTok represents a decisive enforcement of data protection laws and serves as a stark warning to other companies about the need for compliance. As data privacy becomes increasingly critical on a global scale, organisations must prioritise robust data protection practices to avoid similar penalties and earn user trust.