Samsung Mobile
Company Details
Linkedin ID:
samsungmobile
Website:
Employees number:
18,959
Number of followers:
647,859
NAICS:
None
Industry Type:
Homepage:
samsung.com
IP Addresses:
0
Company ID:
SAM_2897948
Scan Status:
In-progress
Samsung Mobile Company CyberSecurity Posture
samsung.com
Samsung Mobile is at the forefront of mobile intelligence, shaping the future with Galaxy AI. With the next evolution of Galaxy AI, we are making lives simpler–reducing stress, creating more time, and getting the help you need without even having to ask. In this era of mobile AI, the freedom to focus on what matters most to you is no longer a dream, but a powerful reality. The future of Galaxy AI is here: more personal, intuitive, and transformative, unlocking endless possibilities and revolutionizing how your Galaxy can work for you. Life opens up with Galaxy AI.
Samsung Mobile A.I CyberSecurity Scoring
Samsung Mobile Risk Score (AI oriented)Between 700 and 749
Samsung Mobile
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Samsung Mobile Global Score (TPRM)XXXX
Samsung Mobile
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Samsung Mobile Company CyberSecurity News & History
Past Incidents
7
Attack Types
3
Samsung Mobile
Breach
Rankiteo Explanation
Attack threatening the organization's existence
Description: Samsung was targeted by the Lapsus$ hacker group recently. The attackers gained access to its servers and stole 190GB of confidential data, including the source code of Galaxy devices. The company immediately took off its systems and strengthen its security systems.
Samsung Mobile
Breach
Rankiteo Explanation
Attack threatening the economy of a geographical region
Description: Samsung suffered from a data breach incident, hackers hacked Samsung systems in the U.S that exposed some personal data of U.S customers. The compromised information includes name, contact details, demographic data, date of birth, and product registration data. Samsung said that no credit or debit card information was accessed, nor social security numbers. Customers were warned to be on the lookout for unauthorized emails, messages, or phone calls that could exploit the stolen data to engage them and they got a free credit report.
Samsung Mobile
Cyber Attack
Rankiteo Explanation
Attack threatening the organization's existence
Description: Last year, during the Pwn2Own hacking event in Austin, Texas, the Samsung Galaxy S21 devices were hacked, not once but twice, across a period of just 48 hours. This year also the Samsung’s flagship Galaxy S22 smartphone fell to zero-day exploits twice on the same day. But this time, Samsung fixed the issues before malicious threat actors can do any harm.
Samsung
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: In late 2024, attackers began exploiting CVE-2024-7399, an easily reachable path traversal flaw in Samsung MagicINFO v9 Server, to deploy a malicious JSP payload. The vulnerability allowed unauthenticated actors to upload and execute arbitrary scripts on signage management servers, which are commonly deployed in retail stores, transportation hubs, corporate lobbies and healthcare facilities. Once executed, the payload installed a downloader for the Mirai botnet, turning commercial displays into nodes for distributed denial-of-service attacks. Although no sensitive customer or employee information was stolen, the intrusion compromised system integrity and posed a risk of large-scale service disruptions. Administrators reported sporadic outages of digital signage and unusual outbound connections from Windows Server instances. Samsung released a patch in August 2024, but exploitation surged after a proof-of-concept exploit was published. Organizations running MagicINFO v9 prior to version 21.1050.0 faced ongoing exposure until they applied the update. The incident underscores the critical need for timely patch management to avoid opportunistic bottleneck attacks on nontraditional devices.
Samsung Mobile
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: Back in2015 more than 600 million Samsung mobile phones around the world were vulnerable to a software bug was discovered in the phone's keyboard. The bug could allow hackers to secretly monitor the phone's camera and microphone, install apps without permission and monitor text messages. The company identifies the bug and fixed it in the next update to lower down the risks.
Samsung
Vulnerability
Rankiteo Explanation
Attack threatening the economy of geographical region
Description: The **LANDFALL** spyware campaign exploited a zero-day vulnerability (**CVE-2025-21042**) in Samsung’s Android image processing library, targeting Galaxy devices (S22, S23, S24, Z Fold4, Z Flip4). Distributed via malformed DNG image files on WhatsApp, the malware enabled **extensive surveillance**—including microphone recording, location tracking, call log theft, and extraction of photos, contacts, and SMS messages. The attack leveraged **SELinux manipulation** for persistence and evasion, with evidence linking it to **commercial spyware operations** (e.g., Stealth Falcon, Variston framework) and **targeted intrusions in the Middle East** (Iraq, Iran, Turkey, Morocco). The vulnerability remained unpatched until **April 2025**, exposing users for nearly a year. While Samsung later patched related flaws (e.g., **CVE-2025-21043**), the campaign’s **modular design** suggests potential for expanded payloads. The attack’s **sophistication**—combining zero-day exploitation, encrypted C2 communication, and anti-forensic techniques—highlights risks to **high-profile individuals, government entities, and critical infrastructure** in the region. Palo Alto’s Unit 42 confirmed **no WhatsApp vulnerabilities** were involved, but the use of a **trusted messaging platform** amplified the attack’s reach and credibility.
Samsung
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Security researchers at Palo Alto Networks uncovered **LANDFALL**, a sophisticated Android spyware campaign exploiting a **zero-day vulnerability (CVE-2025-21042, CVSS 8.8)** in Samsung Galaxy devices (S22, S23, S24, Z Fold 4, Z Flip 4). The attack leveraged malformed DNG image files (disguised as WhatsApp transfers) to deploy modular spyware capable of **recording audio/calls, tracking location, harvesting SMS/contacts/files, and maintaining persistence via SELinux manipulation**. Targets included high-value individuals in **Middle East/North Africa (Iraq, Iran, Turkey, Morocco)**, suggesting state-sponsored or commercial espionage motives. While the flaw was patched in **April 2025**, the campaign operated since **July 2024**, exposing users to prolonged surveillance risks. The attack’s **zero-click potential** (unconfirmed) and modular design (loader + privilege escalation + C2) align with advanced threat actors like **Stealth Falcon**, historically linked to regional espionage. The incident underscores rising risks in mobile ecosystems, where image-processing libraries (e.g., `libimagecodec.quram.so`) are increasingly exploited for targeted intrusions.
Samsung Mobile Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Samsung Mobile
Incidents vs Consumer Electronics Industry Average (This Year)
Samsung Mobile has 0.0% fewer incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Samsung Mobile has 28.21% more incidents than the average of all companies with at least one recorded incident.
Incident Types Samsung Mobile vs Consumer Electronics Industry Avg (This Year)
Samsung Mobile reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Samsung Mobile (X = Date, Y = Severity)
Samsung Mobile cyber incidents detection timeline including parent company and subsidiaries
Samsung Mobile Company Subsidiaries
Samsung Mobile is at the forefront of mobile intelligence, shaping the future with Galaxy AI. With the next evolution of Galaxy AI, we are making lives simpler–reducing stress, creating more time, and getting the help you need without even having to ask. In this era of mobile AI, the freedom to focus on what matters most to you is no longer a dream, but a powerful reality. The future of Galaxy AI is here: more personal, intuitive, and transformative, unlocking endless possibilities and revolutionizing how your Galaxy can work for you. Life opens up with Galaxy AI.
Loading...
Samsung Mobile Similar Companies
Mia propia de mi
Empresa privada, dedicada a proveer bienes y servicios de calidad a un amplio sector de la población. Empresa privada, dedicada a proveer bienes y servicios de calidad a un amplio sector de la población. Empresa privada, dedicada a proveer bienes y servicios de calidad a un amplio sector de la pobl
Eldorado LLC
Eldorado is one of Russia's largest retailers of consumer electronics and household appliances. The company is present in almost all regions of Russia. Eldorado develops multichannel sales and operates over 600 stores throughout the country. Eldorado LLC is a part of the PPF Group and Emma C
Sharp
„ÄêCorporate Name„Äë Sharp Corporation „ÄêHead Office„Äë 1 Takumi-cho, Sakai-ku, Sakai City, Osaka 590-8522, Japan „ÄêManagement Representatives„Äë Masahiro Okitsu, President & Chief Executive Officer „ÄêBusiness Activities„Äë Mainly manufacturing and sales of telecommunications equipment, electr
.png)
Samsung Mobile CyberSecurity News
December 03, 2025 08:00 AM
Why did India order smartphone makers to install a government app?
Privacy concerns lead India to rescind order demanding pre-installed cybersecurity app on all new mobile devices.
December 03, 2025 08:00 AM
India scraps mandatory cybersecurity app on new phones after backlash
The Indian government confidentially ordered companies like Apple, Samsung, and Xiaomi to install the Sanchar Saathi app on their new...
December 02, 2025 06:40 AM
India directs Apple, Samsung, Xiaomi and others to preload non-removable state cybersecurity app
India's telecom ministry has directed major smartphone manufacturers to preload a non-removable, state-owned cybersecurity app on all new...
December 01, 2025 08:00 AM
India orders smartphone makers to preload state-owned cyber safety app
India's telecoms ministry has privately asked smartphone makers to preload all new devices with a state-owned cyber security app that cannot...
December 01, 2025 08:00 AM
Government to Apple, Samsung, Xiaomi, Vivo, Oppo, OnePlus and other smartphone companies: Make sure all p
Tech News News: India's government is now requiring smartphone makers to pre-install the Sanchar Saathi cyber security app, which cannot be...
November 18, 2025 08:00 AM
Has Samsung Installed ‘Unremovable Israeli Spyware’ On Your Phone?
Samsung responds to accusations it has embedded AppCloud "spyware" on hundreds of millions of Galaxy phones.
November 12, 2025 08:00 AM
Samsung phones infected with 'Landfall' spyware through WhatsApp images — what you need to know
This malware can infect Samsung devices through malicious WhatsApp images and it doesn't require any user interaction.
November 11, 2025 08:00 AM
CISA Warns of Actively Exploited 0-Day RCE Vulnerability in Samsung Mobile Devices
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical remote code execution...
November 11, 2025 08:00 AM
U.S. CISA adds Samsung mobile devices flaw to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Samsung mobile devices flaw to its Known Exploited Vulnerabilities...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Samsung Mobile CyberSecurity History Information
Official Website of Samsung Mobile
The official website of Samsung Mobile is http://smsng.co/SamsungUnpacked.
Samsung Mobile’s AI-Generated Cybersecurity Score
According to Rankiteo, Samsung Mobile’s AI-generated cybersecurity score is 741, reflecting their Moderate security posture.
How many security badges does Samsung Mobile’ have ?
According to Rankiteo, Samsung Mobile currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Samsung Mobile have SOC 2 Type 1 certification ?
According to Rankiteo, Samsung Mobile is not certified under SOC 2 Type 1.
Does Samsung Mobile have SOC 2 Type 2 certification ?
According to Rankiteo, Samsung Mobile does not hold a SOC 2 Type 2 certification.
Does Samsung Mobile comply with GDPR ?
According to Rankiteo, Samsung Mobile is not listed as GDPR compliant.
Does Samsung Mobile have PCI DSS certification ?
According to Rankiteo, Samsung Mobile does not currently maintain PCI DSS compliance.
Does Samsung Mobile comply with HIPAA ?
According to Rankiteo, Samsung Mobile is not compliant with HIPAA regulations.
Does Samsung Mobile have ISO 27001 certification ?
According to Rankiteo,Samsung Mobile is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Samsung Mobile
Samsung Mobile operates primarily in the Consumer Electronics industry.
Number of Employees at Samsung Mobile
Samsung Mobile employs approximately 18,959 people worldwide.
Subsidiaries Owned by Samsung Mobile
Samsung Mobile presently has no subsidiaries across any sectors.
Samsung Mobile’s LinkedIn Followers
Samsung Mobile’s official LinkedIn profile has approximately 647,859 followers.
NAICS Classification of Samsung Mobile
Samsung Mobile is classified under the NAICS code None, which corresponds to Others.
Samsung Mobile’s Presence on Crunchbase
No, Samsung Mobile does not have a profile on Crunchbase.
Samsung Mobile’s Presence on LinkedIn
Yes, Samsung Mobile maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/samsungmobile.
Cybersecurity Incidents Involving Samsung Mobile
As of December 21, 2025, Rankiteo reports that Samsung Mobile has experienced 7 cybersecurity incidents.
Number of Peer and Competitor Companies
Samsung Mobile has an estimated 561 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Samsung Mobile ?
Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Vulnerability and Breach.
How does Samsung Mobile detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with took off systems, and remediation measures with strengthened security systems, and remediation measures with software update, and communication strategy with warned customers to be on the lookout for unauthorized communications, communication strategy with offered free credit report, and remediation measures with issued patches and updates, and and third party assistance with unit 42 (palo alto networks), and containment measures with samsung security patches (april 2025, september 2025), containment measures with palo alto networks detection updates (advanced wildfire, url filtering, dns security, threat prevention), and remediation measures with device security updates, remediation measures with malware signature updates, and communication strategy with public advisory via unit 42 report, communication strategy with media coverage, and enhanced monitoring with palo alto networks threat detection tools, and incident response plan activated with yes (by samsung and palo alto networks unit 42), and third party assistance with palo alto networks unit 42, and containment measures with patch released by samsung (april 2025), and remediation measures with device updates, remediation measures with monitoring for anomalous behaviors (e.g., c2 connections, suspicious image files), and communication strategy with public disclosure by palo alto networks unit 42, communication strategy with security advisories, and enhanced monitoring with recommended (for anomalous network connections, microphone usage, etc.)..
Incident Details
Can you provide details on each incident ?
Title: Lapsus$ Hacker Group Attack on Samsung
Description: Samsung was targeted by the Lapsus$ hacker group recently. The attackers gained access to its servers and stole 190GB of confidential data, including the source code of Galaxy devices. The company immediately took off its systems and strengthen its security systems.
Type: Data Breach
Threat Actor: Lapsus$ hacker group
Title: Samsung Keyboard Software Bug
Description: A software bug in Samsung mobile phones' keyboard allowed hackers to secretly monitor the phone's camera and microphone, install apps without permission, and monitor text messages.
Date Detected: 2015
Type: Software Vulnerability
Attack Vector: Software Bug
Vulnerability Exploited: Keyboard Software Bug
Threat Actor: Hackers
Motivation: Unauthorized access and monitoring
Title: Samsung Data Breach
Description: Hackers breached Samsung systems in the U.S., exposing personal data of U.S. customers. The compromised information includes name, contact details, demographic data, date of birth, and product registration data. No credit or debit card information or social security numbers were accessed. Customers were warned to be on the lookout for unauthorized communications and were offered a free credit report.
Type: Data Breach
Threat Actor: Hackers
Title: Samsung Galaxy Devices Hacked at Pwn2Own Event
Description: During the Pwn2Own hacking event in Austin, Texas, Samsung Galaxy S21 devices were hacked twice within 48 hours. The following year, the Samsung Galaxy S22 smartphone was also hacked twice on the same day, but Samsung fixed the issues before any malicious threat actors could do any harm.
Date Detected: 2021
Date Resolved: 2022
Type: Zero-day Exploit
Attack Vector: Hacking Event
Vulnerability Exploited: Zero-day vulnerabilities
Threat Actor: Hackers at Pwn2Own Event
Motivation: Research/Event Participation
Title: Exploitation of CVE-2024-7399 in Samsung MagicINFO v9 Server
Description: Attackers exploited CVE-2024-7399, a path traversal flaw in Samsung MagicINFO v9 Server, to deploy a malicious JSP payload. The vulnerability allowed unauthenticated actors to upload and execute arbitrary scripts on signage management servers. The payload installed a downloader for the Mirai botnet, turning commercial displays into nodes for distributed denial-of-service attacks. Although no sensitive customer or employee information was stolen, the intrusion compromised system integrity and posed a risk of large-scale service disruptions.
Type: Botnet Infection
Attack Vector: Path Traversal
Vulnerability Exploited: CVE-2024-7399
Motivation: DDoS Attacks
Title: LANDFALL Android Spyware Campaign Exploiting Samsung Zero-Day (CVE-2025-21042)
Description: Cybersecurity researchers at Unit 42 uncovered a sophisticated Android spyware campaign, dubbed LANDFALL, which exploited a zero-day vulnerability (CVE-2025-21042) in Samsung Galaxy devices. The malware leveraged a critical flaw in Samsung’s image processing library to deliver commercial-grade surveillance capabilities via maliciously crafted DNG image files sent through WhatsApp. The campaign targeted devices in the Middle East, including Iraq, Iran, Turkey, and Morocco, and exhibited tradecraft patterns linked to commercial spyware operations (e.g., Stealth Falcon, Variston). The spyware enabled extensive surveillance (microphone recording, location tracking, data exfiltration) and used evasion techniques to bypass Android’s SELinux policies. Samsung patched the vulnerability in April 2025, with an additional related fix (CVE-2025-21043) in September 2025.
Date Detected: 2024-07
Date Resolved: 2025-04
Type: spyware
Attack Vector: malicious DNG image filesWhatsApp messaging platformCVE-2025-21042 (Samsung image processing library)
Vulnerability Exploited: CVE-2025-21042 (Samsung Android image processing library)
Threat Actor: potentially linked to Stealth Falconpossible ties to Variston spyware frameworkprivate sector offensive actors (PSOAs)
Motivation: surveillancetargeted espionagecommercial spyware deployment
Title: LANDFALL Android Spyware Campaign Exploiting Samsung Zero-Day (CVE-2025-21042)
Description: Security researchers at Palo Alto Networks Unit 42 uncovered a sophisticated espionage campaign leveraging a zero-day vulnerability (CVE-2025-21042, CVSS 8.8) in Samsung Galaxy Android devices. The flaw, an out-of-bounds write defect in the libimagecodec.quram.so image-processing library, allowed remote code execution via malformed DNG image files. The campaign deployed a previously undocumented spyware family called LANDFALL, targeting flagship Samsung models (Galaxy S22, S23, S24, Z Fold 4, Z Flip 4) in the Middle East and North Africa (Iraq, Iran, Turkey, Morocco). The malware enabled surveillance capabilities such as audio recording, location tracking, and data exfiltration (photos, SMS, contacts, call logs). The initial attack vector remains unconfirmed but may involve zero-click exploitation via messaging apps like WhatsApp. The vulnerability was patched by Samsung in April 2025, though the campaign traces back to July 2024.
Date Detected: 2025-04-01
Date Publicly Disclosed: 2025-04-01
Date Resolved: 2025-04-01
Type: Espionage
Attack Vector: Malformed DNG Image FilesMessaging Apps (e.g., WhatsApp)Potential Zero-Click Exploit
Vulnerability Exploited: CVE-2025-21042 (CVSS 8.8) - Out-of-Bounds Write in libimagecodec.quram.so
Threat Actor: Name: Stealth Falcon (aka FruityArmor)Confidence: Moderate (based on domain registration and C2 patterns, but no definitive attribution)
Motivation: Targeted Espionage (likely state-sponsored or commercial spyware)
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Path Traversal, malicious DNG files via WhatsApp, Malformed DNG image files (e.g. and WhatsApp transfers)Potential zero-click exploit via messaging apps.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach SAM22357322
Data Compromised: Source code of galaxy devices
Incident : Software Vulnerability SAM21281522
Systems Affected: Mobile Phones
Incident : Data Breach SAM15243922
Data Compromised: Name, Contact details, Demographic data, Date of birth, Product registration data
Incident : Zero-day Exploit SAM221971222
Systems Affected: Samsung Galaxy S21Samsung Galaxy S22
Incident : Botnet Infection SAM301050625
Systems Affected: Signage management servers, Windows Server instances
Downtime: Sporadic outages of digital signage
Incident : spyware SAM1862118110825
Data Compromised: Microphone recordings, Location data, Call logs, Photos, Contacts, Sms messages
Systems Affected: Samsung Galaxy S22/S23/S24Z Fold4Z Flip4
Brand Reputation Impact: potential reputational damage to Samsungconcerns over device security
Identity Theft Risk: ['high (PII exfiltration)', 'location tracking']
Incident : Espionage SAM5892158110825
Data Compromised: Microphone audio/call recordings, Device location, Photos, Sms, Files, Contacts, Call logs
Systems Affected: Samsung Galaxy S22Samsung Galaxy S23Samsung Galaxy S24Samsung Galaxy Z Fold 4Samsung Galaxy Z Flip 4
Operational Impact: High (surveillance capabilities, persistence via SELinux policy manipulation)
Brand Reputation Impact: Moderate (high-profile zero-day exploit in flagship devices)
Identity Theft Risk: High (PII exfiltration)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Source Code, , Name, Contact Details, Demographic Data, Date Of Birth, Product Registration Data, , Pii (Contacts, Sms, Photos), Geolocation Data, Call Logs, Microphone Recordings, , Audio Recordings, Location Data, Photos, Sms, Files, Contacts, Call Logs and .
Which entities were affected by each incident ?
Incident : Software Vulnerability SAM21281522
Entity Name: Samsung
Entity Type: Company
Industry: Technology
Location: Global
Customers Affected: Over 600 million
Incident : Data Breach SAM15243922
Entity Name: Samsung
Entity Type: Corporation
Industry: Technology
Location: U.S.
Incident : Zero-day Exploit SAM221971222
Entity Name: Samsung
Entity Type: Corporation
Industry: Electronics
Location: Austin, Texas
Incident : Botnet Infection SAM301050625
Entity Name: Samsung
Entity Type: Corporation
Industry: Electronics
Incident : spyware SAM1862118110825
Entity Name: Samsung Electronics
Entity Type: corporation
Industry: technology (consumer electronics)
Location: South Korea (global operations)
Size: large enterprise
Customers Affected: users of Samsung Galaxy S22/S23/S24, Z Fold4, Z Flip4 in Middle East (Iraq, Iran, Turkey, Morocco)
Incident : spyware SAM1862118110825
Entity Name: Individual targets in Middle East
Entity Type: individuals/government entities
Location: IraqIranTurkeyMorocco
Incident : Espionage SAM5892158110825
Entity Name: Samsung Electronics
Entity Type: Corporation
Industry: Consumer Electronics/Technology
Location: Global (targeted regions: Middle East and North Africa - Iraq, Iran, Turkey, Morocco)
Size: Large (Multinational)
Customers Affected: Users of Samsung Galaxy S22, S23, S24, Z Fold 4, Z Flip 4 in targeted regions
Incident : Espionage SAM5892158110825
Entity Name: Individual Users
Entity Type: Consumers
Location: IraqIranTurkeyMorocco
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach SAM22357322
Containment Measures: Took off systems
Remediation Measures: Strengthened security systems
Incident : Software Vulnerability SAM21281522
Remediation Measures: Software update
Incident : Data Breach SAM15243922
Communication Strategy: Warned customers to be on the lookout for unauthorized communicationsOffered free credit report
Incident : Zero-day Exploit SAM221971222
Remediation Measures: Issued patches and updates
Incident : spyware SAM1862118110825
Incident Response Plan Activated: True
Third Party Assistance: Unit 42 (Palo Alto Networks).
Containment Measures: Samsung security patches (April 2025, September 2025)Palo Alto Networks detection updates (Advanced WildFire, URL Filtering, DNS Security, Threat Prevention)
Remediation Measures: device security updatesmalware signature updates
Communication Strategy: public advisory via Unit 42 reportmedia coverage
Enhanced Monitoring: Palo Alto Networks threat detection tools
Incident : Espionage SAM5892158110825
Incident Response Plan Activated: Yes (by Samsung and Palo Alto Networks Unit 42)
Third Party Assistance: Palo Alto Networks Unit 42.
Containment Measures: Patch released by Samsung (April 2025)
Remediation Measures: Device updatesMonitoring for anomalous behaviors (e.g., C2 connections, suspicious image files)
Communication Strategy: Public disclosure by Palo Alto Networks Unit 42Security advisories
Enhanced Monitoring: Recommended (for anomalous network connections, microphone usage, etc.)
What is the company's incident response plan?
Incident Response Plan: The company's incident response plan is described as Yes (by Samsung and Palo Alto Networks Unit 42).
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Unit 42 (Palo Alto Networks), , Palo Alto Networks Unit 42, .
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach SAM22357322
Type of Data Compromised: Source code
Sensitivity of Data: High
Data Exfiltration: Yes
Incident : Data Breach SAM15243922
Type of Data Compromised: Name, Contact details, Demographic data, Date of birth, Product registration data
Personally Identifiable Information: namecontact detailsdate of birth
Incident : spyware SAM1862118110825
Type of Data Compromised: Pii (contacts, sms, photos), Geolocation data, Call logs, Microphone recordings
Sensitivity of Data: high (personal and surveillance data)
Data Encryption: ['SELinux policy manipulation for persistence']
File Types Exposed: DNG images (malicious payload)photosSMS databasescontact lists
Incident : Espionage SAM5892158110825
Type of Data Compromised: Audio recordings, Location data, Photos, Sms, Files, Contacts, Call logs
Sensitivity of Data: High (includes PII and surveillance data)
Data Exfiltration: Yes
File Types Exposed: DNG Images (malformed, with embedded ZIP payloads)PhotosSMSContactsCall Logs
Personally Identifiable Information: Yes (contacts, call logs, location data)
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Strengthened security systems, , Software update, Issued patches and updates, , device security updates, malware signature updates, , Device updates, Monitoring for anomalous behaviors (e.g., C2 connections, suspicious image files), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by took off systems, , samsung security patches (april 2025, september 2025), palo alto networks detection updates (advanced wildfire, url filtering, dns security, threat prevention), , patch released by samsung (april 2025) and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : spyware SAM1862118110825
Data Exfiltration: True
Incident : Espionage SAM5892158110825
Data Exfiltration: Yes (but not ransomware-related)
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Botnet Infection SAM301050625
Lessons Learned: The incident underscores the critical need for timely patch management to avoid opportunistic bottleneck attacks on nontraditional devices.
Incident : spyware SAM1862118110825
Lessons Learned: Zero-day vulnerabilities in image processing libraries are increasingly weaponized across mobile platforms (similar iOS exploits in 2025)., Commercial spyware actors leverage ephemeral infrastructure (e.g., non-standard TCP ports) and modular architectures to evade detection., Supply chain risks extend to messaging platforms (WhatsApp) used as delivery mechanisms, even without platform vulnerabilities., SELinux policy manipulation is a critical evasion technique for Android malware persistence.
Incident : Espionage SAM5892158110825
Lessons Learned: Image-processing libraries (e.g., DNG/TIFF) are emerging as critical attack surfaces in mobile devices., Messaging apps and 'image' files can serve as stealthy initial vectors for advanced malware., Modular spyware architectures (loader + privilege escalation + C2) resemble commercial spyware, suggesting targeted espionage motives., Mobile devices, especially flagship models, must be treated as high-value targets for espionage, not just commodity malware., Long exposure windows (e.g., vulnerability exploited since July 2024, patched in April 2025) highlight the need for proactive monitoring and rapid patching.
What recommendations were made to prevent future incidents ?
Incident : spyware SAM1862118110825
Recommendations: Apply Samsung security patches promptly (April 2025 or later)., Monitor for suspicious DNG/JPPEG files received via messaging apps., Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire)., Audit device permissions and SELinux policies for anomalies., Educate users on risks of unsolicited image files, even from known contacts., Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston).Apply Samsung security patches promptly (April 2025 or later)., Monitor for suspicious DNG/JPPEG files received via messaging apps., Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire)., Audit device permissions and SELinux policies for anomalies., Educate users on risks of unsolicited image files, even from known contacts., Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston).Apply Samsung security patches promptly (April 2025 or later)., Monitor for suspicious DNG/JPPEG files received via messaging apps., Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire)., Audit device permissions and SELinux policies for anomalies., Educate users on risks of unsolicited image files, even from known contacts., Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston).Apply Samsung security patches promptly (April 2025 or later)., Monitor for suspicious DNG/JPPEG files received via messaging apps., Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire)., Audit device permissions and SELinux policies for anomalies., Educate users on risks of unsolicited image files, even from known contacts., Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston).Apply Samsung security patches promptly (April 2025 or later)., Monitor for suspicious DNG/JPPEG files received via messaging apps., Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire)., Audit device permissions and SELinux policies for anomalies., Educate users on risks of unsolicited image files, even from known contacts., Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston).Apply Samsung security patches promptly (April 2025 or later)., Monitor for suspicious DNG/JPPEG files received via messaging apps., Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire)., Audit device permissions and SELinux policies for anomalies., Educate users on risks of unsolicited image files, even from known contacts., Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston).
Incident : Espionage SAM5892158110825
Recommendations: Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)., Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Educate users on the risks of malformed image files and social engineering via messaging platforms.Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)., Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Educate users on the risks of malformed image files and social engineering via messaging platforms.Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)., Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Educate users on the risks of malformed image files and social engineering via messaging platforms.Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)., Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Educate users on the risks of malformed image files and social engineering via messaging platforms.Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)., Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Educate users on the risks of malformed image files and social engineering via messaging platforms.Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)., Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Educate users on the risks of malformed image files and social engineering via messaging platforms.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are The incident underscores the critical need for timely patch management to avoid opportunistic bottleneck attacks on nontraditional devices.Zero-day vulnerabilities in image processing libraries are increasingly weaponized across mobile platforms (similar iOS exploits in 2025).,Commercial spyware actors leverage ephemeral infrastructure (e.g., non-standard TCP ports) and modular architectures to evade detection.,Supply chain risks extend to messaging platforms (WhatsApp) used as delivery mechanisms, even without platform vulnerabilities.,SELinux policy manipulation is a critical evasion technique for Android malware persistence.Image-processing libraries (e.g., DNG/TIFF) are emerging as critical attack surfaces in mobile devices.,Messaging apps and 'image' files can serve as stealthy initial vectors for advanced malware.,Modular spyware architectures (loader + privilege escalation + C2) resemble commercial spyware, suggesting targeted espionage motives.,Mobile devices, especially flagship models, must be treated as high-value targets for espionage, not just commodity malware.,Long exposure windows (e.g., vulnerability exploited since July 2024, patched in April 2025) highlight the need for proactive monitoring and rapid patching.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Educate users on the risks of malformed image files and social engineering via messaging platforms., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)., Treat mobile devices as potential espionage targets and especially in high-risk regions or sectors..
References
Where can I find more information about each incident ?
Incident : spyware SAM1862118110825
Source: Unit 42 (Palo Alto Networks)
Incident : spyware SAM1862118110825
Source: VirusTotal (malicious DNG samples)
Incident : spyware SAM1862118110825
Source: Samsung Security Updates (CVE-2025-21042, CVE-2025-21043)
Incident : Espionage SAM5892158110825
Source: Palo Alto Networks Unit 42 Research Report
Incident : Espionage SAM5892158110825
Source: Samsung Security Advisory (CVE-2025-21042)
Incident : Espionage SAM5892158110825
Source: Meta Platforms/WhatsApp Disclosure (CVE-2025-55177)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Unit 42 (Palo Alto Networks), and Source: VirusTotal (malicious DNG samples)Url: https://www.virustotal.com, and Source: Samsung Security Updates (CVE-2025-21042, CVE-2025-21043), and Source: Palo Alto Networks Unit 42 Research Report, and Source: Samsung Security Advisory (CVE-2025-21042), and Source: Meta Platforms/WhatsApp Disclosure (CVE-2025-55177).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : spyware SAM1862118110825
Investigation Status: ongoing (tracked as CL-UNK-1054 by Unit 42)
Incident : Espionage SAM5892158110825
Investigation Status: Ongoing (attribution to Stealth Falcon/FruityArmor is tentative; initial vector unconfirmed)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Warned Customers To Be On The Lookout For Unauthorized Communications, Offered Free Credit Report, Public Advisory Via Unit 42 Report, Media Coverage, Public Disclosure By Palo Alto Networks Unit 42 and Security Advisories.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach SAM15243922
Customer Advisories: Warned customers to be on the lookout for unauthorized communicationsOffered free credit report
Incident : spyware SAM1862118110825
Stakeholder Advisories: Palo Alto Networks Customers Notified Via Product Updates.
Customer Advisories: Samsung security bulletinsmedia reports
Incident : Espionage SAM5892158110825
Stakeholder Advisories: Apply Patches Immediately, Monitor For Indicators Of Compromise (Iocs), Review Mobile Security Policies.
Customer Advisories: Update devices to the latest Samsung firmwareAvoid opening suspicious image files from unknown sourcesReport unusual device behaviors (e.g., unexpected recordings, location tracking)
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Warned Customers To Be On The Lookout For Unauthorized Communications, Offered Free Credit Report, , Palo Alto Networks Customers Notified Via Product Updates, Samsung Security Bulletins, Media Reports, , Apply Patches Immediately, Monitor For Indicators Of Compromise (Iocs), Review Mobile Security Policies, Update Devices To The Latest Samsung Firmware, Avoid Opening Suspicious Image Files From Unknown Sources, Report Unusual Device Behaviors (E.G., Unexpected Recordings, Location Tracking) and .
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Botnet Infection SAM301050625
Entry Point: Path Traversal
Incident : spyware SAM1862118110825
Entry Point: malicious DNG files via WhatsApp
Reconnaissance Period: 2024-01 to 2025-02 (samples uploaded to VirusTotal)
Backdoors Established: ['SELinux policy manipulation', 'persistent C2 communication via HTTPS/ephemeral ports']
High Value Targets: Government/Individual Targets In Middle East,
Data Sold on Dark Web: Government/Individual Targets In Middle East,
Incident : Espionage SAM5892158110825
Entry Point: Malformed Dng Image Files (E.G., Whatsapp Transfers), Potential Zero-Click Exploit Via Messaging Apps,
Backdoors Established: Yes (via modified SELinux policy for persistence)
High Value Targets: Samsung Galaxy Flagship Devices (S22, S23, S24, Z Fold 4, Z Flip 4), Users In Middle East/North Africa (Iraq, Iran, Turkey, Morocco),
Data Sold on Dark Web: Samsung Galaxy Flagship Devices (S22, S23, S24, Z Fold 4, Z Flip 4), Users In Middle East/North Africa (Iraq, Iran, Turkey, Morocco),
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Botnet Infection SAM301050625
Root Causes: CVE-2024-7399 vulnerability
Corrective Actions: Apply the patch released by Samsung in August 2024
Incident : spyware SAM1862118110825
Root Causes: Unpatched Zero-Day In Samsung’S Image Processing Library (Cve-2025-21042)., Lack Of Validation For Malformed Dng Files In Android’S Media Stack., Exploitation Of Whatsapp As A Trusted Delivery Vector., Commercial Spyware Tradecraft (E.G., Modular Architecture, Evasion Techniques).,
Corrective Actions: Samsung Patched Cve-2025-21042 (April 2025) And Cve-2025-21043 (September 2025)., Palo Alto Networks Updated Detection Signatures For Landfall Indicators., Ongoing Attribution Analysis By Unit 42 (Cl-Unk-1054).,
Incident : Espionage SAM5892158110825
Root Causes: Zero-Day Vulnerability (Cve-2025-21042) In Samsung’S Image-Processing Library (Libimagecodec.Quram.So)., Lack Of User Awareness About Risks Associated With Image Files Via Messaging Apps., Delayed Patching (Vulnerability Exploited Since July 2024, Patched In April 2025)., Sophisticated Modular Spyware Design (Landfall) Enabling Privilege Escalation And Persistence.,
Corrective Actions: Samsung Issued Patches For Cve-2025-21042 (April 2025)., Public Disclosure By Unit 42 To Raise Awareness And Prompt Mitigations., Recommendations For Organizations To Treat Mobile Devices As High-Value Espionage Targets., Encouragement For Users To Update Devices And Scrutinize Messaging App Attachments.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Unit 42 (Palo Alto Networks), , Palo Alto Networks Threat Detection Tools, , Palo Alto Networks Unit 42, , Recommended (for anomalous network connections, microphone usage, etc.).
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Apply the patch released by Samsung in August 2024, Samsung Patched Cve-2025-21042 (April 2025) And Cve-2025-21043 (September 2025)., Palo Alto Networks Updated Detection Signatures For Landfall Indicators., Ongoing Attribution Analysis By Unit 42 (Cl-Unk-1054)., , Samsung Issued Patches For Cve-2025-21042 (April 2025)., Public Disclosure By Unit 42 To Raise Awareness And Prompt Mitigations., Recommendations For Organizations To Treat Mobile Devices As High-Value Espionage Targets., Encouragement For Users To Update Devices And Scrutinize Messaging App Attachments., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Lapsus$ hacker group, Hackers, Hackers, Hackers at Pwn2Own Event, potentially linked to Stealth Falconpossible ties to Variston spyware frameworkprivate sector offensive actors (PSOAs), Name: Stealth Falcon (aka FruityArmor)Confidence: Moderate (based on domain registration and C2 patterns and but no definitive attribution).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2015.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-04-01.
What was the most recent incident resolved ?
Most Recent Incident Resolved: The most recent incident resolved was on 2022.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Source code of Galaxy devices, , name, contact details, demographic data, date of birth, product registration data, , microphone recordings, location data, call logs, photos, contacts, SMS messages, , Microphone Audio/Call Recordings, Device Location, Photos, SMS, Files, Contacts, Call Logs and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Samsung Galaxy S21Samsung Galaxy S22 and and Samsung Galaxy S22/S23/S24Z Fold4Z Flip4 and Samsung Galaxy S22Samsung Galaxy S23Samsung Galaxy S24Samsung Galaxy Z Fold 4Samsung Galaxy Z Flip 4.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was unit 42 (palo alto networks), , palo alto networks unit 42, .
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Took off systems, Samsung security patches (April 2025, September 2025)Palo Alto Networks detection updates (Advanced WildFire, URL Filtering, DNS Security, Threat Prevention) and Patch released by Samsung (April 2025).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Source code of Galaxy devices, Files, contact details, location data, microphone recordings, demographic data, SMS, name, Microphone Audio/Call Recordings, SMS messages, call logs, product registration data, photos, Photos, Contacts, contacts, date of birth, Call Logs and Device Location.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Long exposure windows (e.g., vulnerability exploited since July 2024, patched in April 2025) highlight the need for proactive monitoring and rapid patching.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement endpoint detection and response (EDR) solutions capable of detecting mobile spyware behaviors., Apply Samsung security patches promptly (April 2025 or later)., Monitor for anomalous behaviors: unexpected network connections (C2 indicators), suspicious image files via chat apps, unauthorized microphone/camera usage., Audit device permissions and SELinux policies for anomalies., Educate users on the risks of malformed image files and social engineering via messaging platforms., Review and enforce messaging-app usage policies, including scrutiny of attachments (even from trusted sources)., Treat mobile devices as potential espionage targets, especially in high-risk regions or sectors., Deploy advanced threat detection tools (e.g., Palo Alto Networks’ WildFire)., Monitor for suspicious DNG/JPPEG files received via messaging apps., Educate users on risks of unsolicited image files, even from known contacts., Investigate potential links to commercial spyware vendors (e.g., NSO Group, Variston). and Ensure all Samsung devices are updated to the latest firmware (post-April 2025 patch)..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Samsung Security Advisory (CVE-2025-21042), Unit 42 (Palo Alto Networks), VirusTotal (malicious DNG samples), Samsung Security Updates (CVE-2025-21042, CVE-2025-21043), Palo Alto Networks Unit 42 Research Report and Meta Platforms/WhatsApp Disclosure (CVE-2025-55177).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.virustotal.com .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is ongoing (tracked as CL-UNK-1054 by Unit 42).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Palo Alto Networks customers notified via product updates, Apply patches immediately, Monitor for indicators of compromise (IoCs), Review mobile security policies, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Warned customers to be on the lookout for unauthorized communicationsOffered free credit report, Samsung security bulletinsmedia reports, Update devices to the latest Samsung firmwareAvoid opening suspicious image files from unknown sourcesReport unusual device behaviors (e.g., unexpected recordings and location tracking).
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an malicious DNG files via WhatsApp and Path Traversal.
What was the most recent reconnaissance period for an incident ?
Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was 2024-01 to 2025-02 (samples uploaded to VirusTotal).
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was CVE-2024-7399 vulnerability, Unpatched zero-day in Samsung’s image processing library (CVE-2025-21042).Lack of validation for malformed DNG files in Android’s media stack.Exploitation of WhatsApp as a trusted delivery vector.Commercial spyware tradecraft (e.g., modular architecture, evasion techniques)., Zero-day vulnerability (CVE-2025-21042) in Samsung’s image-processing library (libimagecodec.quram.so).Lack of user awareness about risks associated with image files via messaging apps.Delayed patching (vulnerability exploited since July 2024, patched in April 2025).Sophisticated modular spyware design (LANDFALL) enabling privilege escalation and persistence..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Apply the patch released by Samsung in August 2024, Samsung patched CVE-2025-21042 (April 2025) and CVE-2025-21043 (September 2025).Palo Alto Networks updated detection signatures for LANDFALL indicators.Ongoing attribution analysis by Unit 42 (CL-UNK-1054)., Samsung issued patches for CVE-2025-21042 (April 2025).Public disclosure by Unit 42 to raise awareness and prompt mitigations.Recommendations for organizations to treat mobile devices as high-value espionage targets.Encouragement for users to update devices and scrutinize messaging app attachments..
.png)
Latest Global CVEs (Not Company-Specific)
Description
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating the requesting user. Due to improper privilege handling and a time-of-check time-of-use race condition combined with symbolic link and mount point manipulation, a local authenticated attacker can coerce the service into deleting arbitrary directories with SYSTEM privileges. This can be exploited to delete protected system folders such as C:\\Config.msi and subsequently achieve execution as NT AUTHORITY\\SYSTEM via MSI rollback techniques.
Risk Information
cvss4
Base: 8.5
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.
Risk Information
cvss3
Base: 7.6
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Description
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Description
The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars" option enabled for TheGem integration.
Risk Information
cvss3
Base: 5.4
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
- https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L104
- https://plugins.trac.wordpress.org/browser/ajax-search-for-woocommerce/tags/1.32.0/partials/themes/thegem-elementor.php#L94
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3420841%40ajax-search-for-woocommerce%2Ftrunk&old=3398612%40ajax-search-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail=#file136
- https://wordpress.org/plugins/ajax-search-for-woocommerce
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8149103e-105d-401d-8a15-b07d131baaac?source=cve
Description
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile URLs, and user IDs by enumerating predictable directory_id values or brute-forcing the small 16^5 token space.
Risk Information
cvss3
Base: 5.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/class-functions.php#L41
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-ajax-common.php#L61
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L205
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/includes/core/class-member-directory.php#L2795
- https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.10.6/templates/members.php#L26
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3421362%40ultimate-member%2Ftrunk&old=3408617%40ultimate-member%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/61337d2d-d15a-45f2-b730-fc034eb3cd31?source=cve
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=samsungmobile' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
