Infosec in Brief: Significant Security Concerns for Samsung, Microsoft, and More
The cybersecurity landscape has become increasingly concerning as major companies grapple with vulnerabilities that threaten user data and corporate integrity. One of the most pressing issues comes from Samsung, which has been accused of storing passwords in plaintext across some of its Galaxy devices. This revelation was initially flagged by a user on Samsung’s community forum, who goes by the handle “OicitrapDraz.”
On April 14, OicitrapDraz expressed his frustration, stating, “I copy passwords from my password manager all the time. How is it that Samsung’s clipboard saves everything in plain text with no expiration? That’s a huge security issue.” Following this outcry, a Samsung representative confirmed the concern, acknowledging that the lack of expiration for clipboard data poses a significant risk for users. With the awareness that attackers might exploit this glaring oversight, Samsung users are urged to exercise extreme caution when copying sensitive information, particularly passwords and private data. Simon Sharwood highlighted that this situation emphasizes the necessity for robust security measures on the part of the company.
Meanwhile, in a separate but equally alarming incident, researchers at Cybernews uncovered an unsecured Amazon S3 bucket that contained more than 21 million screenshots gathered by employee monitoring software vendor WorkComposer. This software is designed to enhance productivity through AI-powered analytics, capturing web usage among employees—including scheduled screenshot capture methodologies. The findings suggest that the bucket was possibly set to allow public access, a common error that many organizations have been guilty of in the past. Since 2022, Amazon Web Services (AWS) has put protective measures in place by default to block public accessibility, urging users to verify their cloud storage settings to prevent unauthorized access. The failure of WorkComposer to secure its data storage indicates a blatant disregard for established information security (infosec) best practices, a point Sharwood addresses with disapproval.
In the realm of big tech security, Microsoft announced some pivotal updates in its ongoing Secure Future Initiative (SFI). After coming under fire for a breach exploited by Chinese cybercriminals, which allowed unauthorized access to U.S. government Exchange accounts, Microsoft has finally implemented changes that aim to seal this vulnerability. According to a report released in September 2024, Microsoft detailed enhancements made to Entra ID and Microsoft Account (MSA) access token signing processes, which will now utilize hardware-based security modules (HSMs) for improved key management. Moving forward, Microsoft is transitioning its MSA signing service to Azure confidential virtual machines (VMs), mirroring this process for Entra ID signing services as well. This move targets mitigating attack vectors that were exploited during the notorious Storm-0558 attack in 2023. The ramifications of that breach were dire, as operatives gained access to critical accounts, including those of senior government officials.
While it may seem overdue, Microsoft’s recent actions indicate a significant effort to mitigate the vulnerabilities that exposed an array of high-profile accounts. However, the slow response to past incidents has not gone unnoticed. Criticism has been aimed at Microsoft for "a cascade of avoidable errors," a sentiment echoed by the U.S. Cyber Safety Review Board. This past negligence attracted congressional scrutiny, forcing company president Brad Smith to address the growing concerns over Microsoft’s security shortcomings.
Adding to the unsettling news surrounding cybersecurity, scammers have already begun exploiting the recent passing of Pope Francis. According to Checkpoint, a campaign targeting global internet users has emerged, attempting to divert attention toward fake news stories regarding the late pontiff. Users are lured into clicking links that redirect them to fraudulent pages purporting to offer gift cards, designed to nefariously capture personal information or financial details.
In another development, Cisco’s Talos threat intelligence group warned of a new initial access broker named “Toymaker.” Since its detection in 2023, Toymaker has focused on infiltrating enterprise networks and stealing credentials to sell to other cybercriminals. By exploiting vulnerable internet-facing systems, Toymaker deploys a unique backdoor known as “LAGTOY,” which facilitates further exploits and command executions. After this initial reconnaissance phase, the group effectively vanishes from the network, leaving little evidence of their presence—a concerning capability that underscores the evolving tactics of cybercriminals.
Furthermore, vulnerability tracking firm VulnCheck revealed in a recent report that 159 known exploited initiatives were disclosed in the first quarter of 2025. Alarmingly, 28.3% of these vulnerabilities were targeted within a day of their release. This trend particularly highlights the urgency for businesses to bolster their defenses against rapidly weaponized exploits.
Finally, the cybersecurity community eagerly awaits the release of the Mitre ATT&CK version 17, which introduces an array of new techniques—particularly focused on attacks against virtualized infrastructure. The updates aim to equip infosec professionals with better tools to anticipate and counteract emerging threats.
As the cybersecurity landscape continues to evolve, one thing remains clear: organizations must prioritize security best practices and remain vigilant against increasingly sophisticated cyber threats.