{
  "name": "Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw",
  "slug": "post-exploitation-activities-observed-from-the-samsung-magicinfo-9-server-flaw",
  "description": "A vulnerability in Samsung MagicINFO 9 Server, a content management system for digital signage displays, has been exploited in limited incidents. Three separate attacks were observed, with two showing organized, identical commands and one appearing to be in a research phase. The attackers attempted to install and run services, encountering difficulties in some instances. They used deceptive naming techniques for downloaded executables. The attacks occurred within a short timeframe, with similar backdoor credentials used. Recommendations include ensuring MagicINFO servers are not internet-facing due to the lack of a patch. The limited scope of attacks may be due to existing firewall protections for many potential targets.",
  "published": "2025-05-10T11:03:00+00:00",
  "created_at": "2025-05-10T11:03:00+00:00",
  "modified_at": "2025-05-12T06:46:04+00:00",
  "created_at_opencti": "2025-05-10T11:03:00+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-05-10",
    "digital signage",
    "exploitation",
    "magicinfo",
    "post-exploitation",
    "reconnaissance",
    "samsung",
    "service installation",
    "vulnerability"
  ],
  "related_entities": {
    "attack_patterns": [
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "67c697ce-a6cc-475f-9bee-e14c1bef7067",
        "name": "T1047"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technology"
      }
    ]
  },
  "external_refs": [
    "https://www.huntress.com/blog/post-exploitation-activities-observed-from-samsung-magicinfo-9-server-flaw",
    "https://otx.alienvault.com/pulse/681f4e845617d20078489553"
  ]
}