Musk's Starlink service now routes through the White House sparking cybersecurity fears

Don't miss my latest CSO news report on how two developments offer a glimmer of hope that federal cybersecurity employees might escape the worst of DOGE's slash-and-burn firing campaign.

Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

In a situation characterized by a massive conflict of interest and a host of cybersecurity concerns, Starlink, the satellite internet service operated by Elon Musk’s SpaceX, is now accessible across the White House campus, routing itself through a White House data center with existing fiber cables miles from the complex.

White House officials said the installation was an effort to increase internet availability at the complex. They said that some areas of the property could not get cell service and that the existing Wi-Fi infrastructure was overtaxed.

The White House press secretary, Karoline Leavitt, said the effort was “to improve Wi-Fi connectivity on the complex.”

Musk, who is now an unpaid adviser working as a “special government employee” at the White House, controls Starlink and other companies that have regulatory matters before or contracts with the federal government. Questions about his business interests conflicting with his status as a presidential adviser and significant Trump donor have persisted for weeks.

White House officials said that Starlink had “donated” the service and that the gift had been vetted by the lawyer overseeing ethics issues in the White House Counsel’s Office.

Some former officials were unclear about how such a donation could work.

Clare Martorana, a former chief information officer at the White House during the Biden administration, said that typically people cannot simply give technology to the government. She said the White House’s chief information officer would need to sign off on a new system to ensure it was secured correctly, as would the chief information officer at the General Services Administration.

The White House is the latest government property on which Starlink now operates.

Sources say that Starlink was also recently set up at the General Services Administration, which has served as a hub for Musk’s efforts to fire government employees and jettison contracts.

While several federal agencies contract with Starlink, the satellite service typically provides internet access in emergencies and remote locations, not at federal buildings in Washington, which already have ample internet options.

It is unclear if the Starlink internet service will significantly expand wireless internet capacity in buildings where fiber cables already provide access. It is also unclear if Starlink communications were encrypted.

“It’s super rare” to install Starlink or another internet provider as a replacement for existing government infrastructure that has been vetted and secured, said Jake Williams, a vice president for research and development at Hunter Strategy, a cybersecurity consultancy. “I can’t think of a time that I have heard of that.”

“It introduces another attack point,” Williams said. “But why introduce that risk?”

Separately, Evan Feinman, a Commerce Department official who had directed a $42.5 billion federal government program for rural broadband for the past three years, warned in his resignation email that the Trump administration is poised to unduly enrich Elon Musk’s satellite internet company with money for rural broadband for what he says is inferior service.

“Stranding all or part of rural America with worse internet so that we can make the world’s richest man even richer is yet another in a long line of betrayals by Washington,” Feinman said. (Maggie HabermanKate CongerEileen Sullivan and Ryan Mac / The New York Times and John Hendel / Politico)

Related: Political Wire, r/politics, Vanity Fair, The New Republic, r/centrist

The Cybersecurity and Infrastructure Security Agency is trying to contact certain employees affected by layoffs based on their employment status after federal judges ruled last week that the Trump administration must reinstate workers it fired in the last month after the terminations were deemed unlawful.

The Cybersecurity and Infrastructure Security Agency “is making every effort to individually contact all impacted individuals,” the DHS agency posted on its homepage Monday. It added that those who believe they fall under the order’s parameters and have not yet been contacted should email the agency with a password-protected attachment that includes identifying information, dates of employment, and any termination notices sent to them. 

The termination reversals focus on probationary employees—those who were typically hired within the last one or two years.

“To the extent that you are identified as an individual whose termination falls within the Court’s order, your employment will be reinstated effective March 17, 2025. Upon your reinstatement, you will be placed on administrative leave, which is a paid non-duty status,” the CISA notice added. (David DiMolfetta / NextGov/FCW)

Related: CBS News, CBS News, r/firedfeds, Data Breach Today

According to sources, US Commerce Department bureaus informed staffers recently that the Chinese artificial intelligence model DeepSeek is banned on their government devices.

"To help keep Department of Commerce information systems safe, access to the new Chinese based AI DeepSeek is broadly prohibited on all GFE," said one mass email about their government-furnished equipment to staffers.

US officials and members of Congress have expressed concerns about DeepSeek's threat to data privacy and sensitive government information.

Congressmen Josh Gottheimer and Darin LaHood, House Permanent Select Committee on Intelligence members, introduced legislation to ban DeepSeek on government devices. Earlier this month, they sent letters to US governors urging them to ban the Chinese AI app on government-issued equipment.

Numerous states, including Virginia, Texas, and New York, have banned the model from government devices, and a coalition of 21 state attorneys general has urged Congress to pass legislation. (Karen Freifeld / Reuters)

Related: MediaNama, TechInAsia, Tip Ranks, The Standard, The Economic Times, Benzinga

The House Homeland Security Committee sent a letter to DHS Secretary Kristi Noem asking her to provide the panel with all agency documents since the start of the Biden administration that refer to or reference Volt Typhoon and Salt Typhoon, a pair of prolific Chinese government-backed cyber espionage units and their hacking activities.

The requested documents include emails, internal memoranda, and other guidance about the two groups that have made headlines over the past several years for their intrusions into US critical infrastructure and telecommunications systems.

Panel Chairman Mark Green (R-TN), alongside cybersecurity subcommittee leader Andrew Garbarino (R-NY) and oversight subcommittee leader Josh Brecheen (R-OK), write that the committee is “conducting oversight of the federal response to the malicious cyber campaigns against US critical infrastructure conducted by Volt and Salt Typhoon” and add that “we still know very little about them.”

The lawmakers ask Noem to provide documentation explaining when DHS and its Cybersecurity and Infrastructure Security Agency became aware of both cyber espionage units and a timeline of events the US cyber agency took in response to their intrusions. The missive will also direct DHS to provide all relevant documentation to the panel by March 31. (David DiMolfetta / NextGov/FCW)

Related: Inside Cybersecurity, Reuters, House Homeland Security Committee

Canadian Prime Minister Mark Carney had a private meeting with French President Emmanuel Macron, during which the two leaders discussed a new bilateral partnership on intelligence and security, focused on enhancing cybersecurity and sharing intelligence on “significant threats."

Carney’s European visit comes amid a shakeup in global security and intelligence as Trump has increasingly cozied up to Russian President Vladimir Putin, prompting concerns among some allies about whether critical intelligence will end up in Putin’s hands.

Carney and Macron also discussed strengthening economic ties, including on artificial intelligence, critical minerals, and clean energy, as well as their intention to “defend rules-based trade.” (Kyle Duggan / The Canadian Press)

Related: Prime Minister of Canada

California Cryobank (CCB), one of the largest reproductive tissue banks in the world, has disclosed a data breach that affected an unknown number of Americans.

CCB reported the data breach to California and Maine authorities but did not disclose the full scope of the incident. It filed a statement with Maine’s Attorney General’s office stating that 28 Maine residents are affected.

The biotechnology company said it detected unauthorized activity on certain computers on April 21st, 2024, isolated them from the IT network, and launched an investigation.

“An unauthorized party gained access to our IT environment and may have accessed and/or acquired files maintained on certain computer systems between April 20th, 2024, and April 22nd, 2024,” the letter to the affected individuals reads.

Hackers “potentially accessed” sensitive files and stole Social Security numbers, driver’s license numbers, financial account numbers, and health insurance information. (Ernestas Naprys / Cybernews)

Related: California Attorney General's Office, JD Supra

Researchers at Wallarm confirmed that a critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.

Hackers are reportedly leveraging proof-of-concept (PoC) exploits published on GitHub just 30 hours after the flaw was disclosed last week.

The researchers warn that traditional security tools fail to detect it as PUT requests appear normal, and the malicious content is obfuscated using base64 encoding. The attacker sends a PUT request containing a base64-encoded serialized Java payload saved to Tomcat's session storage.

The attacker then sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, forcing Tomcat to deserialize and execute the malicious Java code, granting the attacker complete control.

The attack does not require authentication and is caused by Tomcat accepting partial PUT requests and its default session persistence.

"This attack is dead simple to execute and requires no authentication," Wallarm said.

Apache recommended that all users upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+, which are patched against CVE-2025-24813.

Tomcat users may also mitigate the problem by reverting to the default servlet configuration (readonly= "true"), turning off partial PUT support, and avoiding storing security-sensitive files in a subdirectory of public upload paths. (Bill Toulas / Bleeping Computer)

Related: Wallarm, The Register, SC Media, Cyber Security News, Security Affairs, The Hacker News, Cyber Security New

Security researcher Yohanes Nugroho released a decryptor for the Linux variant of Akira ransomware, which utilizes GPU power to retrieve the decryption key and unlock files for free.

Nugroho developed the decryptor after being asked for help from a friend, deeming the encrypted system solvable within a week, based on how Akira generates encryption keys using timestamps.

Due to unforeseen complexities, the project ended up taking three weeks, and the researcher spent $1,200 on GPU resources to crack the encryption key, but eventually, he succeeded.

Nugroho's decryptor does not work like a traditional decryption tool where users supply a key to unlock their files.

Instead, it brute-forces encryption keys (unique for each file) by exploiting the Akira encryptor to generate its encryption keys based on the current time (in nanoseconds) as a seed.

Nugroho has made the decryptor available on GitHub, with instructions on how to recover Akira-encrypted files. (Bill Toulas / Bleeping Computer)

Related: Tinyhack.com, GitHub, SC Media

​Microsoft has discovered a new remote access trojan (RAT) called StilachiRAT that employs "sophisticated techniques" to avoid detection, maintain persistence, and extract sensitive data.

Although the malware has yet to reach widespread distribution, Microsoft says it decided to publicly share indicators of compromise and mitigation guidance to help network defenders detect this threat and reduce its impact.

Due to the limited instances of StilachiRAT being deployed in the wild, Microsoft has yet to attribute this malware to a specific threat actor or associate it with a particular geolocation.

Among this new RAT's features, Redmond highlighted reconnaissance capabilities like collecting system data, including hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications to profile targeted systems.

After being deployed on compromised systems, attackers can use StilachiRAT to siphon digital wallet data by scanning the configuration information of 20 cryptocurrency wallet extensions, including Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, Bitget Wallet, and others.

To reduce the attack surface this malware can use to compromise a targeted system, Microsoft advises downloading software only from official websites and using security software that can block malicious domains and email attachments. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, crypto.news, Security Affairs, Forbes, HackRead

Wemix Foundation CEO Kim Seok-hwan said they had no intention of concealing a hack on its bridge, which led to over $6 million in losses.

In a press conference, Kim reportedly said there was no attempt to cover up the incident, even though the audience pointed out the announcement was delayed.

On Feb. 28, over 8.6 million WEMIX tokens were withdrawn due to an attack on the platform’s Play Bridge Vault, which transfers WEMIX to other blockchain networks. The company only made an official announcement four days after the attack.

According to Kim, the announcement was delayed due to the possibility of further attacks and to avoid causing panic in the market because of the stolen assets. (Ezra Reguerra / Cointelegraph)

Related: Web3IsGoingJustGreat, The Crypto Times, crypto.news, Finance Feeds, The Block, Chosun Biz

The French prosecutor's office has temporarily allowed Pavel Durov, the founder of the messaging app Telegram, who was charged in France last year with a range of crimes related to illicit activity on the app, to leave the country.

“I’ve returned to Dubai after spending several months in France due to an investigation related to the activity of criminals on Telegram,” said Mr. Durov, a Russian-born entrepreneur with citizenship in France and the United Arab Emirates. “The process is ongoing, but it feels great to be home.”

Durov is facing a potential sentence of up to 10 years in prison. He was also charged with complicity in crimes such as enabling the distribution of child sexual abuse material, drug trafficking, and fraud, and refusing to cooperate with law enforcement. (Eve Sampson and Adam Satariano / The New York Times)

Related: Bleeping Computer, BBC News, Cointelegraph, Silicon UK, Du Rove's Channel on Telegram,  UPI, Decrypt, Bloomberg, TechCrunch, Cyber Security News, Cryptopolitan, NBC News, Bitcoin Insider, PhoneArena, Wall Street Journal, WinBuzzer, DNyuz, The Guardian, Associated Press, ZeroHedge News, Tech in Asia, The Kyiv Independent, The Record

Rivals in the human resources business, Deel and Rippling, are feuding in a heated competition, with the latest development involving a lawsuit by Rippling accusing its competitor of hiring a mole in its Dublin office who was uncovered through a honeypot trap in a Slack channel set up expressly for the ruse.

Rippling is now accusing Deel of perpetrating a “brazen act of corporate theft.” In the lawsuit, Rippling said that the employee it had accused of being a plant — referred to in the complaint as D.S. — started searching for mentions of Deel in its Slack messaging system at an elevated rate starting in November. The goal, Rippling asserted, was to find information relating to sales leads involving Deel customers, pitch decks, and more.

Rippling said it began to suspect a mole when Deel tried to hire at least 17 members of its global payroll operations team via WhatsApp — which requires knowing those people’s phone numbers — and when a reporter for The Information asked for comment about internal Slack messages relating to payments into Russia in violation of sanctions. A security review showed that D.S. had searched for those messages. (Dealbook Newsletter / New York Times)

Related: The Information, Business Insider, CNBC, SFGate, The San Francisco Standard, TechCrunch, Axios, CTech, PitchBook

Alphabet said it will buy cybersecurity company Wiz for $32 billion in its biggest deal as the Google parent double-downs on cybersecurity to sharpen its edge in the cloud-computing race against Amazon.com and Microsoft.

The price tag is much higher than the roughly $23 billion Google had offered for Wiz last year before antitrust worries forced the startup to shelve the deal.

The all-cash deal will bolster Google's cloud business with Wiz's AI-powered cybersecurity solutions, which companies use to remove critical risks. This will help Google compete better in an industry benefiting from the rise of generative AI services like ChatGPT.

One of the fastest-growing software startups, Wiz offers cloud-based cybersecurity solutions and was valued at $12 billion in a funding round last May. (Deborah Sophia and Zaheer Kachwala / Reuters)

Related: Israel Hayom, Wall Street Journal, Bloomberg, TechCrunch. The Times, CRN, The Information, CTech, Capital Brief, Financial Times, Investor's Business Daily, Business Journals, The Verge, SiliconANGLE, Ynetnews, TipRanks Financial, Yahoo Finance, Hacker News (ycombinator), Slashdot, Arutz Sheva

Best Thing of the Day: Listening for Undersea Saboteurs

Following multiple reports of sabotage of undersea fiber optic cables, German technology company AP Sensing says it can monitor what's going on in the vicinity of any cable by using fiber optic signals to listen out for surreptitious underwater drones, or hostile vessels dragging their anchors along the seabed.

Worst Thing of the Day: All Your Habits Belong to Us

Arthur Sadoun, the CEO of French advertising conglomerate Publicis Groupe, brags about the degree to which his industry can collect and analyze data on billions of people's habits.

Closing Thought