In today’s cybersecurity news…
Microsoft Defender outage disrupts threats
Microsoft Defender for Endpoint experienced a 10-hour portal outage affecting XDR features, including advanced threat-hunting alerts and device visibility. Microsoft attributed the disruption to a CPU spike from high traffic on portal components. Mitigation steps have restored access for most customers, though some organizations still face issues. Microsoft is collecting additional diagnostics to resolve lingering impacts and continues monitoring system performance. (BleepingComputer)
Apple resists India’s state-run app order
Reuters’ sources say Apple will not comply with India’s order to preload its iPhones with the state-run Sanchar Saathi cyber safety app, citing privacy and security concerns, and will raise the issue with the Indian government, which wants all smartphones, including Samsung and Xiaomi devices, to install the app to track stolen phones and prevent misuse. Other manufacturers are reviewing the directive amid political backlash and surveillance concerns. (Reuters)
MuddyWater strikes Israel with MuddyViper
Iran-linked MuddyWater hit multiple Israeli organizations and one in Egypt with a new toolset built around the MuddyViper backdoor, according to ESET. The group used a Snake-themed “Fooder” loader, new credential and browser-data stealers, and go-socks5 reverse tunnels to maintain access, steal data, and stay quiet. The campaign ran from late 2024 to early 2025 across engineering, government, manufacturing, utilities, and universities, showing tighter operational overlap with other Iranian units. ESET says the group’s tactics are becoming more sophisticated but still follow a predictable script. (Security Affairs)
Researchers capture Lazarus APT’s remote-worker scheme
Researchers say Lazarus Group’s Famous Chollima unit was caught live trying to sneak North Korean IT workers into Western companies by posing as remote hires. Teams from BCA LTD, NorthScan, and ANY.RUN impersonated a U.S. developer and funneled the operators into sandboxed “laptops,” watching them use stolen IDs, AI-generated job-application tools, OTP generators, and Google Remote Desktop to seize accounts without malware. The objective was full identity takeover to embed North Korean workers inside finance, crypto, healthcare, and engineering firms. (The Hacker News)
Huge thanks to our sponsor, Vanta
PickleScan vulnerabilities expose AI model supply chains
Three critical zero-day flaws in PickleScan, a tool for scanning Python pickle files and PyTorch models, could let attackers bypass safeguards and distribute malicious ML models. One allowed file-extension spoofing, another exploited ZIP archive handling differences between PickleScan and PyTorch, and the third bypassed dangerous-import blacklists via subclassing. The vulnerabilities have since been patched. (Infosecurity Magazine)
University of Pennsylvania joins Clop’s Oracle EBS raid
The University of Pennsylvania confirmed a data breach after Clop exploited a zero-day in Oracle’s E-Business Suite, affecting at least 1,488 Maine residents. Attackers accessed personal and financial data used in payments, reimbursements, and general ledger processing. Penn patched systems, alerted law enforcement, and is offering two years of Experian credit monitoring. (The Register)
Legislation would designate ‘critical cyber threat actors’
Rep. August Pfluger reintroduced the Cyber Deterrence and Response Act to let the U.S. formally designate foreign hackers behind major cyberattacks as “critical cyber threat actors” subject to sanctions. The bill directs federal agencies, including the Office of the National Cyber Director, to attribute attacks with input from intelligence and threat firms. Targeted actors include those disrupting networks, stealing sensitive data, or threatening critical infrastructure, finance, energy, or elections. The president may waive sanctions with written explanation to Congress. (CyberScoop)
Coast Guard mandates cybersecurity training
The U.S. Coast Guard requires all personnel with IT or OT access on vessels, facilities, or OCS sites to complete cybersecurity training by January 12th. Untrained users may access systems only under supervision or remote monitoring. Owners/operators must document training, maintain records, and ensure contractors meet regulatory standards, with oversight tied to the Cybersecurity Plan and the designated Cybersecurity Officer. (Industrial Cyber)