Windows startup failures, Victoria's Secret cyberattack, stolen cookie threat - Cybersecurity Headlines

Summary6 min read

Cyber Security Headlines - Episode Summary Hosted by Steve Prentiss, CISO Series Release Date: May 30, 2025

In this episode of Cyber Security Headlines, host Steve Prentiss delves into a series of pressing cybersecurity issues affecting both enterprise environments and everyday users. Covering topics from Windows update failures to sophisticated cyberattacks on major retailers and the dark web economy, the episode provides a comprehensive overview of the current threat landscape. Below is a detailed summary of the key discussions, insights, and conclusions presented.

1. Windows 11 Startup Failures Post KB5058405 Update

Timestamp: [00:00]

Steve Prentiss opens the episode by addressing a critical issue reported by Microsoft regarding the latest Windows 11 update, KB5058405. The update has been confirmed to cause startup failures on certain systems, particularly within enterprise environments. Affected devices are encountering errors related to the ACPI.sys driver, which is essential for power and device management.

Key Points:

Affected Versions: Windows 11 versions 22H2 and 23H2, especially those running on Azure Virtual Machines.
Exclusions: Home users and those using Azure Virtual Desktop, Citrix, or Hyper-V are largely unaffected.
Microsoft's Response: The company is actively investigating the issue and has committed to providing updates as more information becomes available.

This situation underscores the vulnerabilities that can arise from system updates and the importance of thorough testing, especially in enterprise settings where uptime is critical.

2. Victoria’s Secret Suffers Cyberattack

The episode highlights a significant cyberattack on Victoria’s Secret, resulting in the retail giant's website going offline. This incident is part of a broader trend of attacks targeting consumer-focused retailers, including names like Marks & Spencer, Co-op, Harrods, and Adidas.

Key Points:

Nature of the Attack: While specific details are scarce, the disruption aligns with typical ransomware responses.
Impact: The website remains down, affecting online sales and customer interactions. Notably, physical store operations under the Victoria's Secret and Pink brands continue unaffected.

The attack on Victoria’s Secret highlights the ongoing threat of ransomware to retail businesses, emphasizing the need for robust cybersecurity measures to protect both digital and physical operations.

3. Stolen Cookies: A Billion-Dollar Threat

One of the most alarming topics discussed is the prevalence of stolen cookies available on the dark web. NordVPN reports that approximately 94 billion stolen cookies are up for sale on platforms like Telegram-based marketplaces.

Quote:

“Cookies may seem harmless, but in the wrong hands they are digital keys to our most private information,” said Adrianus Vormenhoven, Cybersecurity Advisor at NordVPN. [04:15]

Key Points:

Active Threats: Between 7% to 9% of these cookies, roughly 1.2 billion, are active and exploitable.
Risks: Stolen cookies can grant unauthorized access to personal accounts, leading to data breaches and identity theft.
Advice: Vormenhoven urges users to “think twice before accepting cookies,” highlighting the dual-edged sword of convenience versus security.

This segment serves as a cautionary tale about the underestimated dangers of seemingly benign data like browser cookies, which can be weaponized by cybercriminals for significant malicious purposes.

4. APT41's Sophisticated Attacks via Google Calendar

The episode details a recent report by Google uncovering a sophisticated campaign by APT41, a notorious advanced persistent threat group. This campaign targets foreign governments and organizations across various sectors, including logistics, media, automobiles, and technology.

Key Points:

Attack Vector: The campaign initiates with a spear phishing email that delivers a malware strain named Tough Progress.
Malware Tactics: Tough Progress deploys payloads that operate entirely in a device's memory, effectively evading traditional detection methods.
Command and Control: The malware leverages Google Calendar by creating events on strategic dates (e.g., May 30, 2023) and embedding stolen, encrypted data within the event descriptions.

This innovative use of Google Calendar for command and control highlights the evolving tactics of cyber adversaries, exploiting trusted platforms to mask their malicious activities.

5. New Windows RAT Exploits Corrupted DOS and PE Headers

Researchers from Fortinet have uncovered a novel method employed by malware to conceal Remote Access Trojans (RATs) within Windows systems.

Key Points:

Technique: The malware manipulates the DOS and Portable Executable (PE) headers of Windows executable files, which are crucial for providing information about the executable.
Impact: This corruption allows the RAT to hide within the system, making it harder for security software to detect and remove.
Execution: The attack was identified on a single machine where the RAT utilized a batch of scripts and PowerShell commands to operate within a Windows process.

Further details and technical analyses are available on Hacker News via a link provided in the show notes, offering listeners deeper insights into this emerging threat.

6. Ashush Botnet Compromises ASUS Routers

Greynoise researchers report on a new botnet named Ashush, a play on the word "Yyssus," combined with a reference to SSH backdoors.

Key Points:

Scope: The botnet has successfully compromised over 9,000 ASUS routers, embedding a persistent SSH backdoor.
Persistence: The backdoor allows attackers to maintain control over the routers even after system reboots or firmware updates.
Attribution: While the specific actors behind the campaign remain unidentified, the sophistication and scale suggest a skilled and well-funded adversary.

This development emphasizes the ongoing vulnerability of IoT devices, particularly routers, which serve as critical gateways in both home and enterprise networks.

7. Malware Targets AI Users with Fake Installers

Cybercriminals are increasingly exploiting the popularity of artificial intelligence tools by distributing malware through fake installers.

Key Points:

Targeted Software: Popular AI applications like ChatGPT and InVideo AI are impersonated to deceive users.
Types of Malware: The fake installers distribute various forms of ransomware and malware, including:
- Cyberlock: Encrypts specific files.
- Lucky Ghost: A variant of the Chaos Ransomware series.
- Numero: A particularly destructive strain that damages Windows GUI components, rendering machines unusable.
Victim Profile: Professionals in B2B sales and marketing, where legitimate AI tools are widely used.
Methodology: One approach involves a fake site impersonating the affiliate platform Novaleads, utilizing SEO poisoning to increase visibility and lure victims.

This trend highlights the intersection of rising AI tool adoption and cybercriminal exploitation, urging users to remain vigilant about the sources of their software installations.

8. Abuse of Google Apps Script for Phishing Campaigns

Cofense security researchers reveal that cybercriminals are leveraging Google Apps Script to host sophisticated phishing pages.

Key Points:

Attack Mechanism: The phishing process typically commences with an email masquerading as an invoice, containing a link to a fraudulent login page.
Hosting Strategy: By using Google Apps Script, the phishing sites are hosted within Google's trusted environment, enhancing their legitimacy and reducing user suspicion.
Impact: These convincing phishing pages effectively mimic legitimate login interfaces, increasing the likelihood of victims entering sensitive credentials.

Cofense warns that this tactic capitalizes on Google's credibility to circumvent traditional security measures and deceive users, necessitating enhanced vigilance and verification practices.

Conclusion

Steve Prentiss wraps up the episode by underscoring the multifaceted nature of current cybersecurity threats, ranging from system update vulnerabilities and sophisticated botnets to innovative phishing strategies and the exploitation of emerging technologies like AI and trusted platforms. The discussions emphasize the importance of continuous vigilance, proactive security measures, and staying informed about evolving threat vectors.

For listeners seeking more in-depth analyses, the episode provides resources and links in the show notes, directing them to relevant articles on Hacker News and Greynoise websites.

Stay tuned to Cyber Security Headlines by CISO Series for daily updates and expert insights into the ever-changing world of information security.

Loading summary

Transcript1 lines

[00:00]
Steve Prentiss
From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Friday, May 30, 2025. I'm Steve Prentiss. Windows 11 might fail to start after installing this month's update, says Microsoft. Microsoft has confirmed that the KB5058405 update for Windows 11 may cause startup failures on some system, particularly in enterprise environments. Affected devices display an error related to ACPI sys, which is a key driver for power and device management. The issue Primarily impacts Windows 11, 22H2 and 23H2 running on Azure virtual machines. Azure virtual Desktop and virtual machines hosted on Citrix or Hyper V Home users are unlikely to be affected. Microsoft is currently investigating the problem and will provide further updates as available. Victoria's Secret website goes offline following Cyberattack the lingerie retailer's site remains down as of this recording. This is the latest in a string of attacks on consumer focused retailers such as Marks Spencer Co Op, Harrods and Adidas. There are few details available on the cause of this specific attack, but disruptions of this type are consistent with a ransomware response. The physical retail stores under the Victoria's Secret and Pink brands remain open. Billions of stolen cookies remain available, worrying security experts. Almost 94 billion stolen cookies remain for sale on Dark Web and Telegram based marketplaces, and between 7 and 9% of these, which is approximately 1.2 billion of them, are active and exploitable, says Nordvpn. Adrianus Vormenhoven, who is cybersecurity advisor at NordVPN, said cookies may seem harmless, but in the wrong hands they are digital keys to our most private information, he continues. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide. He further describes a stolen cookie as being just as dangerous as a password. Think twice before accepting cookies, he suggests. China linked Hackers attack governments through Google Calendar A report released this week by Google describes a sophisticated campaign conducted by APT41 that targets foreign governments as well as organizations in sectors such as logistics, media, automobiles and technology. In short, this attack, which starts with a spear phishing email, launches a malware strain named Tough Progress, which deploys payloads that operate entirely in a device's memory to evade detection. It uses Google Calendar for command and control by creating events on selected dates, one of which being May 30, 2023, and embedding stolen encrypted data into the description panels of these events. Huge thanks to our sponsor ThreatLocker ThreatLocker is a global leader in zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransom. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and to start your free trial, visit threatlocker.com CISO that is T H R E A T L O C k-e r.com CISO New Windows RAT hides by using corrupted DOS and PE headers Researchers from fortnet are describing a process by which malware works with corrupted DOS and PE headers. This refers to the disk, operating System, DOS and Portable Executable headers, which are essential parts of a Windows portable execution file providing information about the executable. The discovery was made on a single machine, and the remote Access Trojan attack had allowed the thread actor to execute a batch of Scripts and PowerShell to run the malware in a Windows process. Additional details about this attack technique are available at the Hacker News, and a link is provided in the show notes. New Ashush botnet compromises ASUS routers Researchers from Greynoise state that this botnet spelt a Y Y S S U S h a play on the name along with SSH Backdoor, has hacked more than 9,000 ASUS routers and adding a persistent SSH backdoor. The attackers avoid detection while keeping control even after reboots or updates. Though attribution remains unclear, the campaign shows signs of a skilled, well funded adversary building a covert botnet infrastructure, they said. Additional details are available at the Gray Noise website, a link to which is available in the show notes. Criminals target AI users with malware Loaded installers Criminals are using fake installers for popular AI tools like ChatGPT and InVideo AI to spread ransomware and malware, including Cyberlock, Lucky Ghost and a new strain called Numero. Cyberlock encrypts specific files. While Lucky Ghost is a variant of the Chaos Ransomer series, Numero is particularly destructive, damaging Windows GUI components and rendering machines unusable. These fake tools Target professionals in B2B sales and marketing, where legitimate AI tools are widely used. One such fake site appears to impersonate the affiliate platform Novaleads and uses SEO poisoning to boost its visibility and lure victims. Threat actors abuse Google Apps script In evasive phishing attacks, cybercriminals are exploiting Google Apps Script, a development platform within Google's ecosystem, to host convincing phishing pages pages that steal login credentials, according to security researchers at Cofence. The attack typically begins with an email posing as an invoice, which includes a link to a fake login page. The phishing site, designed to mimic legitimate login screens, is hosted within Google's trusted environment, making it appear more authentic to unsuspecting users. This tactic increases the likelihood that victims will enter sensitive information, thus falling for the scam. Cofence warns that this method leverages Google's credibility to bypass user suspicion. We've got a busy Friday of live streams today. It starts at 1pm Eastern with Super Cyber Friday, where the topic will be Hacking Provable Security, an hour of critical thinking on how to go beyond security ratings and questionnaires. Then at 3:30pm Eastern, we have our Week in Review show. Steve Knight, former CISO at Hyundai Capital America, will be our guest, providing his expert commentary on the news of the week. To join us for both, head on over to the events page@ciso series.com and if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentice reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.

Cyber Security Headlines - Episode Summary Hosted by Steve Prentiss, CISO Series Release Date: May 30, 2025

1. Windows 11 Startup Failures Post KB5058405 Update

Timestamp: [00:00]

Key Points:

Affected Versions: Windows 11 versions 22H2 and 23H2, especially those running on Azure Virtual Machines.
Exclusions: Home users and those using Azure Virtual Desktop, Citrix, or Hyper-V are largely unaffected.
Microsoft's Response: The company is actively investigating the issue and has committed to providing updates as more information becomes available.

This situation underscores the vulnerabilities that can arise from system updates and the importance of thorough testing, especially in enterprise settings where uptime is critical.

2. Victoria’s Secret Suffers Cyberattack

Key Points:

Nature of the Attack: While specific details are scarce, the disruption aligns with typical ransomware responses.
Impact: The website remains down, affecting online sales and customer interactions. Notably, physical store operations under the Victoria's Secret and Pink brands continue unaffected.

3. Stolen Cookies: A Billion-Dollar Threat

Quote:

“Cookies may seem harmless, but in the wrong hands they are digital keys to our most private information,” said Adrianus Vormenhoven, Cybersecurity Advisor at NordVPN. [04:15]

Key Points:

Active Threats: Between 7% to 9% of these cookies, roughly 1.2 billion, are active and exploitable.
Risks: Stolen cookies can grant unauthorized access to personal accounts, leading to data breaches and identity theft.
Advice: Vormenhoven urges users to “think twice before accepting cookies,” highlighting the dual-edged sword of convenience versus security.

This segment serves as a cautionary tale about the underestimated dangers of seemingly benign data like browser cookies, which can be weaponized by cybercriminals for significant malicious purposes.

4. APT41's Sophisticated Attacks via Google Calendar

Key Points:

Attack Vector: The campaign initiates with a spear phishing email that delivers a malware strain named Tough Progress.
Malware Tactics: Tough Progress deploys payloads that operate entirely in a device's memory, effectively evading traditional detection methods.
Command and Control: The malware leverages Google Calendar by creating events on strategic dates (e.g., May 30, 2023) and embedding stolen, encrypted data within the event descriptions.

This innovative use of Google Calendar for command and control highlights the evolving tactics of cyber adversaries, exploiting trusted platforms to mask their malicious activities.

5. New Windows RAT Exploits Corrupted DOS and PE Headers

Researchers from Fortinet have uncovered a novel method employed by malware to conceal Remote Access Trojans (RATs) within Windows systems.

Key Points:

Technique: The malware manipulates the DOS and Portable Executable (PE) headers of Windows executable files, which are crucial for providing information about the executable.
Impact: This corruption allows the RAT to hide within the system, making it harder for security software to detect and remove.
Execution: The attack was identified on a single machine where the RAT utilized a batch of scripts and PowerShell commands to operate within a Windows process.

Further details and technical analyses are available on Hacker News via a link provided in the show notes, offering listeners deeper insights into this emerging threat.

6. Ashush Botnet Compromises ASUS Routers

Greynoise researchers report on a new botnet named Ashush, a play on the word "Yyssus," combined with a reference to SSH backdoors.

Key Points:

Scope: The botnet has successfully compromised over 9,000 ASUS routers, embedding a persistent SSH backdoor.
Persistence: The backdoor allows attackers to maintain control over the routers even after system reboots or firmware updates.
Attribution: While the specific actors behind the campaign remain unidentified, the sophistication and scale suggest a skilled and well-funded adversary.

This development emphasizes the ongoing vulnerability of IoT devices, particularly routers, which serve as critical gateways in both home and enterprise networks.

7. Malware Targets AI Users with Fake Installers

Cybercriminals are increasingly exploiting the popularity of artificial intelligence tools by distributing malware through fake installers.

Key Points:

Targeted Software: Popular AI applications like ChatGPT and InVideo AI are impersonated to deceive users.
Types of Malware: The fake installers distribute various forms of ransomware and malware, including:
- Cyberlock: Encrypts specific files.
- Lucky Ghost: A variant of the Chaos Ransomware series.
- Numero: A particularly destructive strain that damages Windows GUI components, rendering machines unusable.
Victim Profile: Professionals in B2B sales and marketing, where legitimate AI tools are widely used.
Methodology: One approach involves a fake site impersonating the affiliate platform Novaleads, utilizing SEO poisoning to increase visibility and lure victims.

This trend highlights the intersection of rising AI tool adoption and cybercriminal exploitation, urging users to remain vigilant about the sources of their software installations.

8. Abuse of Google Apps Script for Phishing Campaigns

Cofense security researchers reveal that cybercriminals are leveraging Google Apps Script to host sophisticated phishing pages.

Key Points:

Attack Mechanism: The phishing process typically commences with an email masquerading as an invoice, containing a link to a fraudulent login page.
Hosting Strategy: By using Google Apps Script, the phishing sites are hosted within Google's trusted environment, enhancing their legitimacy and reducing user suspicion.
Impact: These convincing phishing pages effectively mimic legitimate login interfaces, increasing the likelihood of victims entering sensitive credentials.

Cofense warns that this tactic capitalizes on Google's credibility to circumvent traditional security measures and deceive users, necessitating enhanced vigilance and verification practices.

Conclusion

For listeners seeking more in-depth analyses, the episode provides resources and links in the show notes, directing them to relevant articles on Hacker News and Greynoise websites.

Stay tuned to Cyber Security Headlines by CISO Series for daily updates and expert insights into the ever-changing world of information security.