Infosec in brief Samsung has warned that some of its Galaxy devices store passwords in plaintext.
The Korean giant’s security SNAFU was reported by a user using the handle “OicitrapDraz” in a post to Samsung’s community forum.
“I copy passwords from my password manager all the time,” OicitrapDraz wrote on April 14. “How is it that Samsung’s clipboard saves everything in plain text with no expiration? That’s a huge security issue.”
A Samsung account responded as follows:
One UI is the custom Android skin Samsung installs on its Galaxy smartphones and tablets.
Samsung’s post is an admission that users of those devices need to be extremely careful when copying sensitive info to the clipboard – especially now that attackers know passwords and other sensitive info may be available. – Simon Sharwood
Crosshead text
Researchers at Cybernews last week claimed they spotted an open AWS S3 bucket that contained over 21 million screenshots captured by employee monitoring software vendor WorkComposer.
Billed as “AI-Powered Time Tracking and Productivity Analytics”, WorkComposer’s wares can monitor employee’s use of the web at work using methods including scheduled screenshot capture.
Cybernews found millions of those screenshots in what it described as “an unsecured Amazon S3 bucket.” The outlet didn’t explain the bucket’s security deficiencies, but it is safe to assume it was set to allow public access – an error that many orgs have made over the years.
But it’s not an excusable error because since 2022 Amazon Web Services has blocked public access by default and advised users to check their cloud storage is not accessible to unauthorized parties
If WorkComposer has exposed buckets, it’s a big boo-boo that does not suggest it follows known best infosec practices. – Simon Sharwood
Microsoft finally plugs Exchange hole China exploited … in 2023
Microsoft has detailed progress of its Secure Future Initiative (SFI), with the standout news being that it has finally introduced changes aimed at closing the attack vector Chinese cybercriminals used to break into US government Exchange accounts.
In its first report from the SFI, released in September 2024, Microsoft noted that it had updated the Entra ID and Microsoft Account (MSA) access token signing key processes to use hardware-based security modules (HSMs). As we noted at the time, this meant that all aspects of key management – generation, storage, and automatic access token rotation – would happen within HSMs.
In the new report, issued last week, Microsoft announced it has migrated its MSA signing service to Azure confidential virtual machines (VMs) and is in the process of moving Entra ID signing services to the same platform.
“Each of these improvements help mitigate the attack vectors that we suspect the actor used in the 2023 Storm-0558 attack on Microsoft,” Redmond said.
Nice of you to finally get around to that, Microsoft.
For those unfamiliar with the Storm-0558 situation, it involved Chinese operatives who stole a Microsoft consumer signing key and use it to forge tokens that accessed Exchange Online accounts, including those of former Commerce Secretary Gina Raimondo and numerous other State Department and Commerce employees.
As it turns out, sloppy security practices , criticized by the US Cyber Safety Review Board as a “cascade of avoidable errors,” also left Microsoft vulnerable to a separate breach by Russian cyberspies, who accessed the email accounts of senior executives. Those incidents ultimately resulted in company president Brad Smith being hauled before Congress to answer for Redmond’s catalog of security problems.
The SFI was part of Microsoft’s response to those messes.
“We continue to make progress in every pillar and objective,” Microsoft said of the SFI in last week’s update. “Out of 28 objectives, five are nearing completion, 11 have made significant progress, and we continue to make progress against the rest.”
Scammers already exploiting passing of Pope Francis
Scammers are already trying to capitalize on public grief and curiosity following the passing of Pope Francis.
Checkpoint has reported discovering an online campaign that tricks users into clicking links to fake news about the late pontiff, redirecting them to a bogus Google page peddling scammy gift cards. It’s a classic ruse, Checkpoint noted, designed to fool victims into handing over personal information or payments.
“Public curiosity and emotional reactions make these moments prime opportunities for attackers to strike,” Checkpoint researchers wrote.
There’s a new initial access broker in town
Cisco’s Talos threat intelligence group has wanted of a new initial access broker (IAB) making moves on enterprise networks.
Dubbed “Toymaker,” the group, which Talos first observed in 2023, seems singularly focused on compromising corporate systems and stealing credentials – which it sells to other cybercriminal gangs to finish the job.
According to Talos, Toymaker exploits vulnerable internet-facing systems to deploy its own custom-built backdoor, dubbed “LAGTOY,” which is used to create reverse shells and execute commands on infected machines. After an initial burst of reconnaissance, credential theft, and implant deployment, typically within about a week, Toymaker ghosts the network, leaving no signs of further movement or data exfiltration beyond credentials.
Talos observed that within a few weeks of Toymaker’s departure, the Cactus, ransomware crew – which specializes in double extortion attacks – shows up and gets to work.
Indicators of Compromise (IOCs) and more technical details are available in Talos’ report on the gang.
Many fresh CVEs targeted within a day
Threat intel firm VulnCheck has found 159 known exploited vulnerabilities were publicly disclosed in the first quarter of 2025, and 28.3 percent of those were targeted with a day of disclosure.
The report found that the majority of rapidly-exploited CVEs were tied to content management systems and network edge devices, followed by operating systems, open-source software, and server platforms.
VulnCheck noted that the speed of exploitation in early 2025 was “marginally faster” than in 2024, underscoring how quickly threat actors are moving to weaponize vulnerabilities before defenders can react.
Mitre releases ATT&CK v17
Mitre has delivered a new version of its ATT&CK framework, the knowledge base of adversary tactics and techniques it compiles to help infosec pros mount their defenses.
The new version 17 added 34 VMware ESXi hypervisor attack techniques to the knowledge base, reflecting what Mitre called “the rise in attacks on virtualization infrastructure.”
Another new entry details North Korean remote work scams, highlighting how threat actors are deploying remote access tools to create hidden backdoors into sensitive systems.
Email bombing, malicious use of copy and paste, and bind mounts used to hide malicious processes are other new additions.
The next major release, ATT&CK 18, is expected to land in October. ®