Windows 11 might fail to start after installing KB5058405, says Microsoft
Microsoft has confirmed that the KB5058405 update for Windows 11 may cause startup failures on some systems, particularly in enterprise environments. Affected devices display a 0xc0000098 error related to ACPI.sys, a key driver for power and device management. This issue primarily impacts Windows 11 22H2/23H2 running on Azure Virtual Machines, Azure Virtual Desktop, and virtual machines hosted on Citrix or Hyper-V. Home users are unlikely to be affected. Microsoft is currently investigating the problem and will provide further updates as available.
Victoria’s Secret website goes offline following cyberattack
The lingerie retailer’s site remains down as of this recording. This is the latest in a string of attacks on consumer-focused retailers such as Marks and Spencer, Co-op, Harrods, and Adidas. There are few details available on the cause of this attack, but disruptions of this type are consistent with a ransomware response. The physical retail stores under the Victoria’s Secret and PINK brands remain open.
Billions of stolen cookies available, worrying security experts
Almost 94 billion stolen cookies remain for sale dark web and Telegram-based marketplaces, and between 7 and 9 percent – approximately 1.2 billion of them – are active and exploitable, says NordVPN. Adrianus Warmenhoven, cybersecurity advisor at NordVPN said: “Cookies may seem harmless, but in the wrong hands, they’re digital keys to our most private information. What was designed to enhance convenience is now a growing vulnerability exploited by cybercriminals worldwide.” He further describes a stolen cookie as being just as dangerous as a password. “Think twice before accepting cookies,” he suggested.
China-linked hackers attack governments through Google Calendar
A report released this week by Google describes a sophisticated campaign conducted by APT41 that targeted foreign governments as well as organizations in sectors such as logistics, media, automobiles and technology. In short, the attack, which starts with spearphishing emails launched a malware strain named ToughProgress which deployed payloads that operated entirely in a device’s memory to evade detection. It used Google Calendar for command-and-control, by creating events on selected dates one of which being May 30, 2023, and embedding stolen, encrypted data into the description panels of these events.
Huge thanks to our sponsor, ThreatLocker
New Windows RAT hides by using corrupted DOS and PE Headers
Researchers from Fortinet are describing a process by which malware works with corrupted DOS and PE headers, referring to Disk Operating System and Portable Executable headers, which are essential parts of a Windows PE file, providing information about the executable. The discovery was made on a single machine, and the remote access trojan attack had allowed a threat actor to execute a batch of scripts and PowerShell to run the malware in a Windows process. Additional details are available at The Hacker News, and a link is provided in the show notes.
Criminals target AI users with malware-loaded installers
Cybercriminals are using fake installers for popular AI tools like ChatGPT and InVideo AI to spread ransomware and malware, including CyberLock, Lucky\_Gh0\$t, and a new strain called Numero. CyberLock encrypts specific files, while Lucky\_Gh0\$t is a variant of the Chaos ransomware series. Numero is particularly destructive, damaging Windows GUI components and rendering machines unusable. These fake tools target professionals in B2B sales and marketing, where legitimate AI tools are widely used. One such fake site appears to impersonate the affiliate platform NovaLeads and uses SEO poisoning to boost its visibility and lure victims.
Threat actors abuse Google Apps Script in evasive phishing attacks
Cybercriminals are exploiting Google Apps Script, a development platform within Google’s ecosystem, to host convincing phishing pages that steal login credentials. According to security researchers at Cofense, the attack typically begins with an email posing as an invoice, which includes a link to a fake login page. The phishing site, designed to mimic legitimate login screens, is hosted within Google’s trusted environment, making it appear more authentic to unsuspecting users. This tactic increases the likelihood that victims will enter sensitive information, falling for the scam. Cofense warns that this method leverages Google’s credibility to bypass user suspicion.