Highlights from the cybersecurity world
1. Fake Google Meet pages trick users into executing malicious code
A social engineering campaign uses the “ClickFix” technique, tricking users with fake Google Meet pages to execute malicious PowerShell commands and deploy information-stealing malware. Phishing emails mimic real invitations, leading victims to counterfeit URLs where they see convincing fake interfaces and error messages that guide them to run harmful commands.
Users should remember that legitimate services do not request PowerShell commands via email. To mitigate such attacks, it's crucial to implement solutions like endpoint detection and response, application whitelisting, web application firewalls, regular malware scans, and strong access controls.
2. 71 fake sites impersonating a major German retailer steal payment information
A 71-fraudulent-website network impersonating a major German discount retailer has been stealing consumers’ payment and personal data since February 2025. These sites closely mimic legitimate addresses and run deceptive ads to target European consumers with false discount offers for electronics and household goods.
Unlike typical phishing schemes, these fake websites process payments through compromised merchant accounts, highlighting a growing trend in e-commerce fraud. Financial institutions are urged to block transactions with the identified accounts and monitor cards previously used. Merchant acquirers should examine their portfolios for other potentially compromised registrations.
3. Administrator Protection changes how privileges are managed in Windows 11
The new Administrator Protection feature in Windows 11 improves security by preventing privilege escalation attacks. It introduces a profile-separated user account for managing elevated privileges, requiring authentication for admin access. The temporary admin token is created for specific tasks and destroyed afterwards. This feature also eliminates auto-elevation, which allowed users to gain admin rights without consent.
Available in all Windows 11 editions, it can be enabled through Windows Security, Group Policy, or MDM tools. Microsoft recommends running applications with minimal privileges, with a May 2025 update disabling sensitive resources like the camera and microphone for apps with elevated permissions by default.
4. TikTok and Instagram APIs abused to verify stolen accounts
Malicious Python packages like checker-SaGaF, steinlurks, and sinnercore exploit TikTok and Instagram's internal APIs to verify stolen credentials. By connecting to private API endpoints for password recovery, attackers can methodically check email address lists to identify which ones are linked to valid accounts. This allows them to focus on confirmed accounts, minimising detection risks while boosting success rates. This trend underscores the increasing sophistication of supply chain attacks in developer ecosystems, as attackers leverage trusted repositories to enhance the exploitation of stolen data.
5. The new OneDrive default sync feature is set to roll out!
We have already informed you about the new “Prompt to Add Personal Account to OneDrive Sync” feature, which urges users to sync personal and corporate OneDrive accounts on Windows devices. While designed to streamline file access, this update is sparking serious concerns about the possible risks of data exfiltration and the implications for data security. The feature is rolling out in mid-June 2025, with completion expected by early July 2025.
6. Emergency fix KB5061768 to a critical Windows 10 issue
A fix released on May 19 addresses recent boot issues in Windows 10 that affected enterprise customers facing system lockouts and boot loops that required BitLocker recovery keys. These problems emerged upon installing the May 13, 2025, security update for Windows 10 KB5058379, which caused the Local Security Authority Subsystem Service (LSASS) to crash.
This issue particularly impacts Windows 10 version 22H2, Windows 10 Enterprise LTSC 2021, and Windows 10 IoT Enterprise LTSC 2021 on Intel vPro processors (10th generation or later) with Intel Trusted Execution Technology (TXT) enabled. Most consumer devices running Home and Pro editions are unaffected. The KB5061768 emergency cumulative update can be found in the Microsoft Update Catalog, and affected organisations are urged to install it immediately.
7. A phishing attack targets corporate users with fake Zoom invitations
This attack uses social engineering tactics to create urgency, prompting victims to click on malicious links in fake Zoom meeting notification emails with subject lines like “Missed Zoom Call” or “Urgent Meeting Request”. Once victims click the link, they are directed to a convincing replica of a Zoom interface, creating the illusion of a live meeting with colleagues waiting. After a fake disconnection notification, a fraudulent login prompt appears to capture credentials. Analysis shows that stolen information is sent via Telegram API endpoints, allowing attackers to collect data in real-time while avoiding security controls.
8. ChatGPT flaw allows embedding malicious SVGs in shared chats
It has been discovered that ChatGPT has a serious security flaw that lets hackers insert malicious SVG files into shared conversations. Instead of rendering SVG code as text, ChatGPT mistakenly executes it when chats are reopened or shared via public links. This could lead to phishing attacks and harmful content exposure, including potential harm from epileptic-inducing flashing effects.
OpenAI has temporarily disabled the link-sharing feature, but a comprehensive fix is still pending. Users are advised to be cautious when viewing shared conversations from unknown sources, emphasising the need to secure AI chat interfaces against traditional web vulnerabilities.
9. Significant vulnerabilities in Volkswagen’s car app
Three major vulnerabilities were found in Volkswagen’s connected car app, exposing sensitive information worldwide:
- Leaked Credentials: An API endpoint revealed internal usernames, passwords, tokens, and third-party service credentials in plaintext.
- Exposed Personal Details: Customer information such as names, phone numbers, and addresses could be accessed using only a vehicle’s VIN.
- Accessible Service History: Vehicle service histories, customer complaints, and survey results could be viewed by entering a VIN.
These vulnerabilities allowed attackers to access vehicle and personal data, and potentially control vehicle features remotely. Volkswagen confirmed on May 6, 2025, that the issues were resolved. Security experts emphasise the need for manufacturers to prioritise cybersecurity in modern cars.
10. Severe Illustrator and Photoshop vulnerabilities. Update now!
Adobe has released critical security updates for Photoshop and Illustrator due to severe vulnerabilities allowing attackers to execute arbitrary code, potentially compromising systems completely. A heap-based buffer overflow affects Illustrator 2025 (version 29.3 and earlier) and 2024 (version 28.7.5 and earlier). Photoshop 2025 (version 26.5 and earlier) and 2024 (version 25.12.2 and earlier) have three vulnerabilities that could give attackers full control of the system. Updated versions are:
- Illustrator 2025 version 29.4
- Illustrator 2024 version 28.7.6
- Photoshop 2025 version 26.6
- Photoshop 2024 version 25.12.3
Users should update immediately via the Creative Cloud desktop application, while IT administrators can use the Admin Console for deployment.
11. Two cumulative updates for Windows 11
Microsoft released two cumulative updates for Windows 11, KB5058411 and KB5058405, enhancing security and performance.
The KB5058411 update targets Windows 11 version 24H2, while the KB5058405 update is for versions 22H2 and 23H2. They both focus on security improvements. An additional servicing stack update, KB5058528 (builds 22621.5334 and 22631.5334), optimises the update delivery process.
12. Microsoft May 2025 Patch Tuesday
Microsoft’s May 2025 Patch Tuesday fixes 72 vulnerabilities, including 5 zero-day vulnerabilities currently exploited. The security update covers Windows, Microsoft Office, Azure, and Visual Studio, among others. Users are urged to update their software immediately, especially considering the number of actively exploited vulnerabilities.
13. KeePass used by hackers to steal passwords
In a concerning trend for cybersecurity, threat actors increasingly target KeePass, a popular open-source password manager, to distribute malware and steal sensitive credentials. This campaign, which began in early April 2025, involves compromised download links and trojanised versions of the authentic application that appear genuine but contain malicious code.
Once installed, the trojan maintains full password management capabilities while stealthily executing harmful actions, making them difficult to detect. Besides the KeePass credentials, the malware captures browser-saved passwords, authentication cookies, and cryptocurrency wallet information.
14. Teams will block unauthorised screenshots
A new “Prevent Screen Capture” feature for Teams is set for worldwide rollout in July 2025. This feature will block unauthorised screenshots during meetings across Teams desktop applications for Windows, macOS, iOS, and Android. Participants using unsupported platforms or older versions will be automatically placed in audio-only mode for security.
Additionally, in June 2025, detailed audit logs for screen sharing and control features will be available for IT administrators to track who initiated or received control during sessions. These tools will aid organisations in compliance-heavy industries to protect sensitive discussions and intellectual property.
15. PDF invoices used to attack operating systems
A sophisticated email attack campaign leverages weaponised PDF invoices to deliver a remote access trojan (RAT) that primarily targets Windows systems, though it can also affect Linux and macOS devices with the Java Runtime Environment (JRE). These attacks grant hackers full remote control over the compromised systems.
The campaign employs seemingly legitimate invoice emails that exploit the serviciodecorreo.es email service to pass SPF validation. These emails include PDF attachments designed to entice recipients to click buttons, triggering the infection process. Utilising well-known file-sharing platforms like Dropbox and MediaFire, along with geolocation filtering and Ngrok tunnelling, the attackers maintain control and conceal their activities. This high-severity threat poses serious risks for organisations, highlighting the increasing sophistication of modern malware attacks.
Stay tuned and keep your system safe! If you need help, contact us for expert advice!