🔴 Iranian state hackers are pretending to be ransomware gangs… using Teams to get in

This one is worth reading carefully, because the attack method will be familiar.

A threat group tracked as MuddyWater, linked to Iranian state intelligence, has been caught running a campaign that deliberately looks like a ransomware attack… but isn’t.

The goal isn’t money. It’s persistent, undetected access. Rapid7 published the full analysis yesterday after observing the campaign earlier this year. The Hacker News

The attack starts with Teams. Attackers pose as IT helpdesk staff, use interactive screen-sharing to harvest credentials, and manipulate MFA approval. Once inside, they deploy remote access tools including DWAgent and AnyDesk.

The ransomware elements are essentially theatre: chaos ransomware artifacts are dropped to look opportunistic, but file encryption doesn’t actually happen. The real objective is a quiet backdoor that stays open long after the “incident” appears to be over.

The uncomfortable thing is that this attack looks exactly like the helpdesk impersonation campaigns we’ve covered all month (while the difference is who’s behind it and why). A financially motivated criminal group wants to encrypt and extort. Whereas a nation-state wants to sit silently inside your clients’ networks for months.

Worth making sure your clients know that your techs will never initiate an unsolicited Teams session asking for screen access.

🟡 Microsoft Defender briefly decided that legitimate security certificates were malware. It's now fixed

If your team got flooded with high-severity Defender alerts earlier this week, this is why.

On April 30, Microsoft pushed a Defender signature update that incorrectly flagged two widely trusted DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha malware.

On affected systems, Defender didn’t just alert… it automatically quarantined and removed the certificates from the Windows trust store. Without those certificates, systems risk failing to validate HTTPS connections and breaking code-signing verification for legitimate software. BleepingComputer

The fix is out. Microsoft pushed a corrected signature update and the certificates are being automatically restored on affected machines.

🟢 The Register just got a new website (for the first time since Vista)

If you visited The Register this morning and thought your browser was broken… it wasn’t.

The beloved IT news institution that has been the spiritual home of grumpy, brilliant, sardonic technology professionals since 1998, launched a brand new website design yesterday. Their first redesign in over 20 years. The Register

The piece they wrote announcing it is exactly what you’d expect: self-deprecating, warm, and written in the voice of someone who has been putting off a very large piece of technical debt for approximately two decades. They describe the old system as held together with “tape and glue.”

If you’re not reading The Register every morning alongside the MSP Minute, you should be. Nobody covers enterprise technology with more wit, more depth, or more justified scepticism. And now it looks kinda nice too.

PS here’s what their website first looked like in 1998

Well, would you believe it, that’s Thursday done. We’ll be back in your inbox tomorrow morning for the final time this week. Have a fun day.