- According to Unit 42's analysis, it targets a wide range of Samsung flagship models, including the Galaxy S22, S23, and S24 series devices, as well as the Z Fold 4 and Z Flip 4.
CISA orders feds to patch Samsung zero-day used in spyware attacks
CISA ordered U.S. federal agencies today to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy LandFall spyware on devices running WhatsApp.
Tracked as CVE-2025-21042, this out-of-bounds write security flaw was discovered in Samsung's libimagecodec.quram.so library, allowing remote attackers to gain code execution on devices running Android 13 and later.
While Samsung patched it in April following a report from Meta and WhatsApp Security Teams, Palo Alto Networks' Unit 42 revealed last week that attackers had been exploiting it since at least July 2024 to deploy previously unknown LandFall spyware via malicious DNG images sent over WhatsApp.
Data from VirusTotal samples examined by Unit 42 researchers shows potential targets in Iraq, Iran, Turkey, and Morocco, while C2 domain infrastructure and registration patterns share similarities with those seen in Stealth Falcon operations, which originated from the United Arab Emirates.
Another clue is the use of the "Bridge Head" name for the malware loader component, a naming convention commonly seen in commercial spyware developed by NSO Group, Variston, Cytrox, and Quadream.
- However, LandFall could not be confidently linked to any known spyware vendors or threat groups.
- While this binding operational directive only applies to federal agencies, CISA has urged all organizations to prioritize patching this security flaw as soon as possible.
No comments:
Post a Comment