A zero-day exploit in Samsung Knox’s DEFEX module was discovered, allowing attackers to bypass Message Guard’s zero-click attack protections. The vulnerability, chained with a phishing campaign targeting enterprise admins, enabled threat actors to silently exfiltrate corporate data from Samsung Galaxy devices enrolled in Enterprise Mobility Management (EMM) systems. The attack leveraged malicious image files sent via messaging apps (e.g., WhatsApp, SMS), which Knox failed to isolate due to a logic flaw in its sandboxing mechanism. The breach impacted 12,000 devices across a multinational corporation, exposing: - Employee credentials (stored in Knox-protected containers). - Unencrypted email caches containing client contracts and financial projections. - Internal IT policies and device update schedules, aiding further attacks. While no customer PII was confirmed stolen, the reputation damage was severe after tech media reported the failure of Knox’s ‘government-grade’ claims. The company faced regulatory scrutiny for misleading security marketing, and stock prices dipped 4% post-disclosure. Samsung issued an emergency patch, but the incident eroded trust in Android’s enterprise security among CISOs.

A ransomware group, J Group, claimed a major breach of Dimensional Control Systems (DCS), a Michigan-based provider of dimensional engineering software critical to manufacturing giants like Boeing, Samsung, Volkswagen, and Airbus. The attackers allegedly exfiltrated 11GB of sensitive data, including financial records, employee information, and proprietary operational documents, posting samples on the dark web as leverage for ransom demands. The breach poses severe risks to supply chain security, potentially exposing intellectual property (e.g., aerospace designs, manufacturing tolerances) and disrupting operations for high-profile clients. Boeing’s involvement raises national security concerns due to its defense contracts, while Samsung’s prior breaches compound vulnerabilities. Though DCS has not publicly confirmed the attack, cybersecurity experts warn of cascading risks—including regulatory fines (e.g., GDPR for Volkswagen), legal actions, and reputational damage—if client data was compromised. The incident underscores the growing threat of third-party vendor attacks, where a single breach can jeopardize an entire industrial ecosystem.

A leak revealed details and images of Samsung's upcoming devices, including the Galaxy Z Fold 7, Z Flip 7, and Galaxy Watch series. The leak suggests Samsung is dropping support for the S Pen on the Z Fold 7, which could impact user experience and productivity. Additionally, marketing materials and specs for the Galaxy Watch 8 series were exposed, potentially affecting Samsung's competitive edge and product launch strategy. The leak was shared by a reliable source on Bluesky, highlighting vulnerabilities in Samsung's pre-launch confidentiality.

Samsung addressed a critical path traversal vulnerability (CVE-2025-4632) in its MagicINFO 9 Server, exploited to propagate the Mirai botnet. The flaw, stemming from improper pathname limitations, allowed arbitrary file writes, enabling attackers to execute malicious commands, download payloads, and conduct reconnaissance. The vulnerability was actively abused in three confirmed incidents after a proof-of-concept (PoC) was publicly released on April 30. Affected systems included versions v8 to v9 (21.1050.0), with patching complications noted—users upgrading from v8 to v9 (21.1052.0) were required to first install an intermediate vulnerable version (21.1050.0) before applying fixes. The exploitation risked unauthorized system access, lateral movement within networks, and potential botnet integration, amplifying risks of distributed denial-of-service (DDoS) attacks or further malware deployment. While no direct data breaches or financial losses were reported, the vulnerability posed a significant operational threat, particularly for enterprises relying on MagicINFO for digital signage and content management.

Samsung's newly anticipated model, the Galaxy S25 Edge, features a battery with a lower capacity compared to its predecessor, Spurred by competition from Apple's rumored high-capacity, super-slim iPhone 17 Air, Samsung might face consumer backlash if its slim design compromises battery life. Despite housing the powerful 8-core Snapdragon 8 Elite chipset, the S25 Edge's 3,900 mAh battery could lead to underwhelming battery performance, disadvantaging Samsung in a market where incremental battery life improvements are expected with each new smartphone release.

Companies running Samsung MagicINFO, a platform for managing content on Samsung commercial digital displays, should upgrade to the latest available version of its v9 branch to fix a vulnerability that’s reportedly being exploited by attackers. The vulnerability in question was believed to be CVE-2024-7399, which was fixed in August 2024. However, confusion arose due to inconsistent information from Samsung. The latest hotfix, MagicINFO 9 Server (Hotfix) 21.1052, mitigates the issue. There is no hotfix for MagicINFO v8, so users should switch to v9 and do it in a particular way: first upgrade to v9 21.1050, and then update to v9 (Hotfix) 21.1052. All customers should investigate whether their instances have been compromised.

Samsung patched a critical zero-day vulnerability (CVE-2025-21043) in its Android devices (Android 13+), exploited in real-world attacks. The flaw, an out-of-bounds write in libimagecodec.quram.so (a third-party image parsing library by Quramsoft), allowed remote code execution (RCE) via malicious images. Exploits were detected in the wild, with Meta/WhatsApp reporting the issue on August 13. While Samsung did not confirm if attacks were limited to WhatsApp users, the vulnerability posed risks to any app using the affected library. The flaw enabled attackers to execute arbitrary code on targeted devices without user interaction, potentially leading to spyware deployment, data theft, or device takeover. Concurrently, Samsung’s MagicINFO 9 Server (a CMS used in airports, hospitals, and retail) was targeted via another RCE flaw (CVE-2024-7399), allowing unauthenticated malware deployment. Though no direct link was confirmed, the combined risks highlighted systemic exposure in Samsung’s ecosystem. The company urged updates but did not disclose attack scale or victim details. The exploitation aligns with sophisticated, targeted campaigns, possibly linked to state-sponsored or mercenary spyware groups (e.g., NSO Group-like actors).

A data breach at Samsung Electronics resulted in the disclosure of some of its customers' personal information to an unapproved party. A weakness in an unidentified third-party application utilised by the IT behemoth was taken advantage of by threat actors. Names, phone numbers, postal addresses, and email addresses may have been revealed; the company is alerting affected consumers. The identities, phone numbers, birthdates, product registration information, and demographic data of Samsung consumers were all accessible to the threat actors. In addition, the security breach did not reveal credit card or Social Security information.

Samsung suffered a data breach incident in April 2023 after Samsung employees have shared internal documents, including meeting notes and source code, with the popular chatbot service ChatGPT. The organisation had three data leaks as a result of its staff members disclosing private information using ChatGPT. Samsung Electronics is alerting staff members to the potential dangers of using ChatGPT and emphasising that there is no way to stop the disclosure of the information submitted to OpenAI's chatbot service.

Ransomware Evolves: From Encryption to Data Extortion and Corruption Cybercriminals behind ransomware attacks are shifting tactics, moving away from traditional full encryption toward faster, more flexible extortion methods. This evolution reflects a broader trend where threat actors prioritize efficiency, leverage stolen data, and adapt to defensive measures creating a spectrum of data-destructive techniques. ### The Shifting Ransomware Landscape Once defined by full data encryption, ransomware operations now encompass a range of strategies, from pure data theft to partial or intermittent encryption. This shift is driven by the need for speed, reduced detection risk, and the growing profitability of extortion. Ransomware-as-a-Service (RaaS) programs have further lowered the barrier to entry, enabling even low-skilled actors to launch sophisticated attacks with support structures akin to legitimate businesses. ### The Spectrum of Data Extortion Modern ransomware operators now occupy different positions on a "data destructiveness" spectrum: - No Encryption, Pure Extortion: Groups like Karakurt and Lapsus$ bypass encryption entirely, instead stealing sensitive data and threatening to leak or auction it. Karakurt, linked to the defunct Conti syndicate, targets organizations across industries by exploiting vulnerabilities in exposed services (e.g., outdated Fortinet VPNs) or purchasing access from initial access brokers (IABs). Lapsus$, known for high-profile breaches (Nvidia, Samsung, Okta, Microsoft), relies on stolen credentials, phishing, and social engineering including SIM-swapping to bypass multi-factor authentication (MFA). Unlike Karakurt, Lapsus$ also seeks notoriety alongside financial gain. - Data Corruption: Some actors, like those using the Exmatter tool, corrupt files by replacing chunks of data with unrelated content. This method is faster than encryption, harder to reverse, and eliminates the risk of decryption tools being developed by researchers. Corruption also avoids the technical complexities of encryption, reducing the chance of implementation flaws. - Partial Encryption: Ransomware families like BlackCat, BlackBasta, Agenda, Qyick, and the newer Royal employ intermittent encryption, targeting only portions of files. This approach speeds up attacks especially for large files while evading detection by security tools that monitor file I/O intensity or entropy changes. Royal, for example, skips encrypting blocks of data based on operator-defined parameters, balancing speed and impact. ### Why the Shift? Several factors drive this evolution: - Speed: Full encryption is time-consuming and increases the risk of detection. Partial encryption or corruption allows attackers to move quickly, demanding ransoms before defenses can respond. - Leverage: Stolen data alone can be enough to extort victims, particularly if it includes sensitive or proprietary information. Threatening leaks or auctions adds pressure without the need for destructive payloads. - Avoiding Decryption: Corruption and partial encryption reduce the likelihood of security researchers developing decryption tools, as seen with past ransomware strains like Lorenz and MafiaWare666. - Hybrid Models: Some actors may switch between pure extortion and destructive techniques based on the value of stolen data, adopting a flexible approach to maximize payouts. ### Future Trends The ransomware ecosystem is expected to diversify further, with: - More extortion-only groups emerging, particularly those targeting high-value data without deploying ransomware. - Increased use of corruption and partial encryption to balance speed and impact. - Hybrid attacks where actors combine data theft with selective destruction, tailoring their approach to the victim’s profile. This shift underscores the professionalization of cybercrime, where threat actors refine tactics to evade defenses, exploit vulnerabilities, and maximize profits whether through encryption, corruption, or pure extortion. As the landscape evolves, defenders must adapt to a broader range of attack methods beyond traditional ransomware.

Samsung suffered a data breach incident in late July 2022 after an unauthorized third party acquired information from some of Samsung’s U.S. systems. The exposed information included the name, contact, location, date of birth, and product registration information of its customers. Samsung worked with an external cybersecurity firm to prevent the attack from escalating and communicated directly with the affected customers.

The tech giant Samsung was targeted by LAPSUS$ hacking group whto steal almost 200GB of sensitive data in March 2022. The exposed 190GB files included the source code for Samsung’s activation servers, bootloaders and biometric unlock algorithms for all recently released Samsung devices, and trusted applets for Samsung’s TrustZone environment. The hacker also published the data on their telegram group and made it available for users to download it for free.

A substantial data breach has hit Samsung Electronics Germany with around 270,000 customer records being sold on the dark web by a criminal hacker under the alias 'GHNA.' The stolen information encompasses names, addresses, emails, order details, and internal communications from Samsung's support system. The breach was consequent to compromised login credentials at IT service provider Spectos, linked to Samsung’s German ticket system. The credentials, originating from a credential theft incident in 2021, remained unchanged for several years, which facilitated the breach.