An Amazon Cloud storage misconfiguration at Volkswagen’s software subsidiary Cariad exposed 800,000 EV customer records for months — including precise vehicle location data, home addresses, email addresses, and phone numbers. HN52 also covers a new Mirai botnet variant exploiting a zero-day in 4-Faith industrial routers, maintaining 15,000 daily active bots and generating DDoS traffic peaks of 100 Gbps against hundreds of targets per day.
Stories Covered
Volkswagen Breach: 800,000 EV Customers’ Location Data Exposed
The Chaos Computer Club reported that Volkswagen’s software subsidiary Cariad left an Amazon S3 bucket misconfigured and publicly accessible for months. The exposed data covered 800,000 electric vehicle owners across VW, Audi, Seat, and Skoda brands and included vehicle on/off timestamps, precise GPS location data, email addresses, phone numbers, and home addresses. Among those affected were at least two German politicians and members of the Hamburg police. Most vehicles were located in Germany, with additional data for Norway, Sweden, the UK, Netherlands, France, Belgium, and Denmark.
This is the accelerating pattern with connected vehicles: the car itself is rarely the attack surface. The cloud infrastructure collecting telemetry from the car is. Electric vehicles are effectively computers with motors, continuously reporting location, usage patterns, and system state back to manufacturer servers. When those servers are misconfigured — often due to turnover, unfamiliarity with cloud access controls, or simply never changing default permission settings — all that data becomes public. Location data paired with home addresses is particularly sensitive: it can reveal when a person is home, their daily movement patterns, and where they regularly park overnight.
The root cause here is a cloud misconfiguration, not a sophisticated breach. Proper S3 bucket ACL auditing and access logging would have caught this. For organizations running cloud-connected automotive or IoT infrastructure, automated misconfiguration scanning (tools like Prowler, Scout Suite, or AWS Config) should be table stakes, not an afterthought.
Mirai Variant Exploits 4-Faith Router Zero-Day for 100 Gbps DDoS Bursts
QiAnXin’s XLab researchers identified a Mirai botnet variant actively exploiting a zero-day vulnerability in 4-Faith industrial routers since November 2024. The botnet maintains approximately 15,000 daily active infected IP addresses — distributed across China, Iran, Russia, Turkey, and the United States — and launches DDoS attacks against hundreds of targets daily. Attack bursts last 10–30 seconds but generate traffic peaks around 100 Gbps (roughly 12.5 GB/s), enough to saturate most enterprise perimeters.
Beyond the 4-Faith zero-day, the botnet’s arsenal includes over 20 known CVEs — including vulnerabilities from 2013 that have had patches available for over a decade. The presence of decade-old CVEs in an active botnet’s exploit list reflects the core problem with IoT and industrial routers: they get deployed, they work, and nobody touches them again. Unlike a phone that nags you about updates, a router or DVR in a factory corner typically requires manual firmware download and physical USB installation to patch — a barrier most operators never clear. Devices facing the internet with unpatched CVEs from 2013 are not edge cases; they are the normal state of a large fraction of deployed industrial networking equipment.
The botnet also uses weak Telnet credentials for initial access, compounding the exposure. Default credentials on internet-facing devices remain one of the easiest and most reliable initial access techniques available — and one of the easiest things to fix. Changing default credentials and disabling Telnet in favor of SSH should be the first two steps when deploying any industrial router, before it ever hits the network.
Leave a Reply