Cyber Security Headlines - Episode Summary Hosted by Steve Prentiss, CISO Series Release Date: May 30, 2025

In this episode of Cyber Security Headlines, host Steve Prentiss delves into a series of pressing cybersecurity issues affecting both enterprise environments and everyday users. Covering topics from Windows update failures to sophisticated cyberattacks on major retailers and the dark web economy, the episode provides a comprehensive overview of the current threat landscape. Below is a detailed summary of the key discussions, insights, and conclusions presented.

1. Windows 11 Startup Failures Post KB5058405 Update

Timestamp: [00:00]

Steve Prentiss opens the episode by addressing a critical issue reported by Microsoft regarding the latest Windows 11 update, KB5058405. The update has been confirmed to cause startup failures on certain systems, particularly within enterprise environments. Affected devices are encountering errors related to the ACPI.sys driver, which is essential for power and device management.

Key Points:

• Affected Versions: Windows 11 versions 22H2 and 23H2, especially those running on Azure Virtual Machines.
• Exclusions: Home users and those using Azure Virtual Desktop, Citrix, or Hyper-V are largely unaffected.
• Microsoft's Response: The company is actively investigating the issue and has committed to providing updates as more information becomes available.

This situation underscores the vulnerabilities that can arise from system updates and the importance of thorough testing, especially in enterprise settings where uptime is critical.

2. Victoria’s Secret Suffers Cyberattack

The episode highlights a significant cyberattack on Victoria’s Secret, resulting in the retail giant's website going offline. This incident is part of a broader trend of attacks targeting consumer-focused retailers, including names like Marks & Spencer, Co-op, Harrods, and Adidas.

Key Points:

• Nature of the Attack: While specific details are scarce, the disruption aligns with typical ransomware responses.
• Impact: The website remains down, affecting online sales and customer interactions. Notably, physical store operations under the Victoria's Secret and Pink brands continue unaffected.

The attack on Victoria’s Secret highlights the ongoing threat of ransomware to retail businesses, emphasizing the need for robust cybersecurity measures to protect both digital and physical operations.

3. Stolen Cookies: A Billion-Dollar Threat

One of the most alarming topics discussed is the prevalence of stolen cookies available on the dark web. NordVPN reports that approximately 94 billion stolen cookies are up for sale on platforms like Telegram-based marketplaces.

Quote:

“Cookies may seem harmless, but in the wrong hands they are digital keys to our most private information,” said Adrianus Vormenhoven, Cybersecurity Advisor at NordVPN. [04:15]

Key Points:

• Active Threats: Between 7% to 9% of these cookies, roughly 1.2 billion, are active and exploitable.
• Risks: Stolen cookies can grant unauthorized access to personal accounts, leading to data breaches and identity theft.
• Advice: Vormenhoven urges users to “think twice before accepting cookies,” highlighting the dual-edged sword of convenience versus security.

This segment serves as a cautionary tale about the underestimated dangers of seemingly benign data like browser cookies, which can be weaponized by cybercriminals for significant malicious purposes.

4. APT41's Sophisticated Attacks via Google Calendar

The episode details a recent report by Google uncovering a sophisticated campaign by APT41, a notorious advanced persistent threat group. This campaign targets foreign governments and organizations across various sectors, including logistics, media, automobiles, and technology.

Key Points:

• Attack Vector: The campaign initiates with a spear phishing email that delivers a malware strain named Tough Progress.
• Malware Tactics: Tough Progress deploys payloads that operate entirely in a device's memory, effectively evading traditional detection methods.
• Command and Control: The malware leverages Google Calendar by creating events on strategic dates (e.g., May 30, 2023) and embedding stolen, encrypted data within the event descriptions.

This innovative use of Google Calendar for command and control highlights the evolving tactics of cyber adversaries, exploiting trusted platforms to mask their malicious activities.

5. New Windows RAT Exploits Corrupted DOS and PE Headers

Researchers from Fortinet have uncovered a novel method employed by malware to conceal Remote Access Trojans (RATs) within Windows systems.

Key Points:

• Technique: The malware manipulates the DOS and Portable Executable (PE) headers of Windows executable files, which are crucial for providing information about the executable.
• Impact: This corruption allows the RAT to hide within the system, making it harder for security software to detect and remove.
• Execution: The attack was identified on a single machine where the RAT utilized a batch of scripts and PowerShell commands to operate within a Windows process.

Further details and technical analyses are available on Hacker News via a link provided in the show notes, offering listeners deeper insights into this emerging threat.

6. Ashush Botnet Compromises ASUS Routers

Greynoise researchers report on a new botnet named Ashush, a play on the word "Yyssus," combined with a reference to SSH backdoors.

Key Points:

• Scope: The botnet has successfully compromised over 9,000 ASUS routers, embedding a persistent SSH backdoor.
• Persistence: The backdoor allows attackers to maintain control over the routers even after system reboots or firmware updates.
• Attribution: While the specific actors behind the campaign remain unidentified, the sophistication and scale suggest a skilled and well-funded adversary.

This development emphasizes the ongoing vulnerability of IoT devices, particularly routers, which serve as critical gateways in both home and enterprise networks.

7. Malware Targets AI Users with Fake Installers

Cybercriminals are increasingly exploiting the popularity of artificial intelligence tools by distributing malware through fake installers.

Key Points:

• Targeted Software: Popular AI applications like ChatGPT and InVideo AI are impersonated to deceive users.
• Types of Malware: The fake installers distribute various forms of ransomware and malware, including:
  • Cyberlock: Encrypts specific files.
  • Lucky Ghost: A variant of the Chaos Ransomware series.
  • Numero: A particularly destructive strain that damages Windows GUI components, rendering machines unusable.
• Victim Profile: Professionals in B2B sales and marketing, where legitimate AI tools are widely used.
• Methodology: One approach involves a fake site impersonating the affiliate platform Novaleads, utilizing SEO poisoning to increase visibility and lure victims.

This trend highlights the intersection of rising AI tool adoption and cybercriminal exploitation, urging users to remain vigilant about the sources of their software installations.

8. Abuse of Google Apps Script for Phishing Campaigns

Cofense security researchers reveal that cybercriminals are leveraging Google Apps Script to host sophisticated phishing pages.

Key Points:

• Attack Mechanism: The phishing process typically commences with an email masquerading as an invoice, containing a link to a fraudulent login page.
• Hosting Strategy: By using Google Apps Script, the phishing sites are hosted within Google's trusted environment, enhancing their legitimacy and reducing user suspicion.
• Impact: These convincing phishing pages effectively mimic legitimate login interfaces, increasing the likelihood of victims entering sensitive credentials.

Cofense warns that this tactic capitalizes on Google's credibility to circumvent traditional security measures and deceive users, necessitating enhanced vigilance and verification practices.

Conclusion

Steve Prentiss wraps up the episode by underscoring the multifaceted nature of current cybersecurity threats, ranging from system update vulnerabilities and sophisticated botnets to innovative phishing strategies and the exploitation of emerging technologies like AI and trusted platforms. The discussions emphasize the importance of continuous vigilance, proactive security measures, and staying informed about evolving threat vectors.

For listeners seeking more in-depth analyses, the episode provides resources and links in the show notes, directing them to relevant articles on Hacker News and Greynoise websites.

Stay tuned to Cyber Security Headlines by CISO Series for daily updates and expert insights into the ever-changing world of information security.