TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Post-Exploitation Activities Observed from the Samsung | Huntress

2025-05-09 · Read original ↗

ATT&CK techniques detected

5 predictions
T1569.002Service Execution
84%
“c whoami cmd. exe / c arp - a what was interesting is that the attacker on the first host seemed to run into some difficulty getting their service to run on the first host with the scripted commands. since the service didn ’ t start, they tried the attack again. however, the serv…”
T1543.003Windows Service
72%
“premium \ tomcat \ bin \ php - cli. exe < / data > < data name = " servicetype " > user mode service < / data > < data name = " starttype " > auto start < / data > < data name = " accountname " > localsystem < / data > [ snip ] the second attempt at installing the service : [ sni…”
T1059.003Windows Command Shell
46%
“c whoami cmd. exe / c arp - a what was interesting is that the attacker on the first host seemed to run into some difficulty getting their service to run on the first host with the scripted commands. since the service didn ’ t start, they tried the attack again. however, the serv…”
T1059.003Windows Command Shell
32%
“downloaded binaries from edr data showing the service running. another curious thing about the attackers ’ commands was the fact that while they pulled an executable that was originally named srvany. exe from their staging website, they appeared to have named it as php - cli. exe…”
T1190Exploit Public-Facing Application
32%
“post - exploitation activities observed from the samsung | huntress this week, huntress observed limited exploitation activity involving the samsung magicinfo 9 server, a content management system used for digital signage displays. as we outlined in our rapid response earlier thi…”

Summary

Huntress has verified that attackers are exploiting flaws in Samsung MagicINFO 9 Server (version 21.1050.0). Understand why MagicINFO 9 Server shouldn’t be internet-facing until a patch is available and applied.