Trump nominates Sean Plankey as CISA Director

Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

Donald Trump nominated Sean Plankey to head the Cybersecurity and Infrastructure Security Agency, the last major piece to fall into place for cybersecurity leadership in his administration.

Plankey served in the first Trump administration, holding a few posts with cyber responsibilities. In 2019 and 2020, he was the principal deputy assistant secretary for the Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response.

Before that, he was the director of cyber policy at the National Security Council, starting in 2018. He was also the Navy's chief information officer and most recently worked at the global cybersecurity advisory company WTW.

Before the first Trump administration, Plankey worked in the Coast Guard, eventually becoming deputy division chief. He also served in Afghanistan and worked in Cyber Command.

His nomination will now be moved before the Senate Homeland Security Committee. If confirmed, he would inherit an agency under new pressure in the Trump administration, with some of its responsibilities curtailed and some of its personnel eliminated. (Tim Starks / Cyberscoop)

Related: Reuters, TechCrunch, Axios, HealthcareInfoSecurity, Associated Press, Federal News Network, Nextgov/FCW, TechRadar, The Record, Dark Reading, Homeland Security Today, MeriTalk, Industrial Cyber, Security Week

Authorities in India arrested Lithuanian national Aleksej Besciokov, the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the US government in 2022, for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations.

Sources say he was apprehended while vacationing on the Indian coast with his family. An officer with the local police department in Varkala confirmed Besciokov’s arrest and said the suspect will appear in a Delhi court on March 14 to face charges.

On March 7, the US Department of Justice (DOJ) unsealed an indictment against Besciokov and the other alleged co-founder of Garantex, Aleksandr Mira Serda, a Russian national living in the United Arab Emirates.

The DOJ alleges Besciokov was Garantex’s primary technical administrator responsible for obtaining and maintaining critical Garantex infrastructure and reviewing and approving transactions. Mira Serda is allegedly Garantex’s co-founder and chief commercial officer. (Brian Krebs / Krebs on Security)

As previously indicated by cybersecurity researcher Kevin Beaumont on social media, sources say Elon Musk’s Department of Government Efficiency has fired over a hundred employees of the US government’s cybersecurity agency, CISA, including “red team” staffers.

The affected employees were axed immediately without warning when their network access was revoked.

The layoffs in late February and early March are the newest staff cuts to hit the federal cybersecurity agency since the start of the Trump administration.

CISA spokesperson Tess Hyre declined to comment on the latest round of job cuts affecting the agency and wouldn’t say how many employees had been affected. Hyre told TechCrunch that CISA’s red team “remains operational” but said the agency is “reviewing all contracts to ensure that they align with the priorities of the new administration.”

One source said that laid-off employees also include staffers who worked for CISA’s Cyber Incident Response Team (CIRT), responsible for penetration testing and vulnerability management of networks belonging to US federal government departments and agencies.

Another source said that laid-off employees also include staffers who worked for CISA’s Cyber Incident Response Team (CIRT), responsible for penetration testing and vulnerability management of networks belonging to US federal government departments and agencies. (Carly Page / TechCrunch)

Related: Politico, The Register

Ransomware group Hunters International published some of the data it claims to have stolen from automotive engineering and R&D company Tata Technologies just over a month after the Indian company confirmed a ransomware attack that suspended some services.

The leaked data includes personal details about some current and former employees at Tata Technologies and confidential information, including purchase orders and the company’s contracts with customers in India and the United States.

The ransomware gang says the data set includes over 730,000 documents, including Excel spreadsheets, PowerPoint presentations, and PDF files, cumulatively totaling about 1.4 terabytes in size. (Jagmeet Singh / TechCrunch)

Related: NewsBytes, Tech Times, The Daily Star, Firstpost

In its March Patch Tuesday update, Microsoft issued over 50 security updates for its various Windows operating systems, including fixes for six zero-days already seeing active exploitation.

Two zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in NTFS, the default file system for Windows and Windows Server. Both require the attacker to trick a target into mounting a malicious virtual hard disk. CVE-2025-24993 would lead to local code execution, while CVE-2025-24991 could cause NTFS to disclose portions of memory.

Microsoft credits researchers at ESET with reporting the zero-day bug labeled CVE-2025-24983, an elevation of privilege vulnerability in older versions of Windows. ESET said the exploit was deployed via the PipeMagic backdoor, which can exfiltrate data and enable remote access to the machine.

The zero-day flaw CVE-2025-24984 is another NTFS weakness that can be exploited by inserting a malicious USB drive into a Windows computer.

Another zero-day fixed this month, CVE-2025-24985, could allow attackers to install malicious code. As with the NTFS bugs, this requires the user to mount a malicious virtual hard drive.

The final zero-day this month is CVE-2025-26633, a weakness in the Microsoft Management Console, a component of Windows that allows system administrators to configure and monitor the system. Exploiting this flaw requires the target to open a malicious file. (Brian Krebs / Krebs on Security)

Related: Microsoft, The Register, CSO Online, Cyberscoop, Dark Reading, Security Week, Bleeping Computer, Fudzilla, Security Week, ZDNet, Help Net Security, Neowin, XDA, Trend Micro, Digital Trends, Rapid7, AskWoody, SANS Internet Storm Center, Cyberdaily.au,  Australian Cyber Security Magazine, Kaspersky Lab official blog, The Stack

Apple released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.

The vulnerability, tracked as CVE-2025-24201, was found in the WebKit cross-platform web browser engine used by Apple's Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows.

"This is a supplementary fix for an attack that was blocked in iOS 17.2," the iPhone maker said in security advisories issued on Tuesday. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2."

Apple said attackers can exploit the CVE-2025-24201 vulnerability by stealing maliciously crafted web content from the Web Content sandbox.

The company has fixed this out-of-bounds write issue with improved checks to prevent unauthorized actions in iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. (Sergiu Gatlan / Bleeping Computer)

Related: Apple, NVD, Ars Technica, Cyberscoop, Deccan Herald, Security Week, TechCrunch, How-to-Geek, Tom's Guide

The Socket Research Team has identified six malicious packages on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.

The packages, which have been downloaded 330 times, are designed to steal account credentials, deploy backdoors on compromised systems, and extract sensitive cryptocurrency information.

The threat group is known for pushing malicious packages into software registries like npm, which is used by millions of JavaScript developers, and passively compromising systems.

Similar campaigns attributed to the same threat actors have been spotted on GitHub and the Python Package Index (PyPI).

This tactic often allows them to gain initial access to valuable networks. In some cases, Lazarus uses this access to conduct massive record-breaking attacks, like the recent $1.5 billion crypto heist from the Bybit exchange. However, that breach wasn't achieved via a malicious package installation.

All six Lazarus packages are still available on npm, and the GitHub repositories, so the threat remains active. (Bill Toulas / Bleeping Computer)

Related: Socket, HackRead, crypto.news

Researchers at Cato Networks say that TP-Link Archer routers are being targeted as part of an effort to grow a new botnet known as Ballista.

The malware entirely takes over a device and reads configuration files on the system before setting up encrypted links and attempting to spread to other devices automatically by exploiting CVE-2023-1389.

The hacker behind the malware, who they believe is based in Italy, has been exploiting a firmware vulnerability tracked as CVE-2023-1389 to allow the botnet to “spread itself automatically over the Internet” through the unpatched TP-Link devices.

The Cybersecurity and Infrastructure Security Agency previously confirmed that CVE-2023-1389 is being exploited in the wild and ordered U.S. civilian agencies to patch the bug. The vulnerability documentation and the patch emphasize the TP-Link model known as AX21 or AX1800.

Cato’s security team first identified this campaign on January 10 and saw several initial access attempts over the court of a few weeks, with the most recent coming on February 17.

A search on cybersecurity platform Censys found more than 6,000 vulnerable devices connected to the Internet, they said, adding that the botnet is still active. (Jonathan Greig / The Record)

Related: Cato Networks, Security Week, Fudzilla, Security Affairs

CISA warned US federal agencies to secure their networks against attacks exploiting three critical vulnerabilities affecting Ivanti Endpoint Manager (EPM) appliances.

The three flaws (CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) are due to absolute path traversal weaknesses that can let remote unauthenticated attackers fully compromise vulnerable servers.

They were reported in October by Horizon3.ai vulnerability researcher Zach Hanley and patched by Ivanti on January 13. Just over a month later, Horizon3.ai also released proof-of-concept exploits that can be used in relay attacks to coerce the Ivanti EPM machine credentials unauthenticately.

CISA added the three vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security flaws the cybersecurity agency has marked as exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 31, to secure their systems against ongoing attacks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, CSO Online, gbhackers, SC Media, Security Week

Researchers at Lookout report that a group of hackers with links to the North Korean regime uploaded Android spyware to the Google Play app store and tricked some people into downloading it.

Lookout says the espionage campaign involves several samples of an Android spyware it calls KoSpy, which the company attributes with “high confidence” to the North Korean government.

According to a cached snapshot of the app’s page on the official Android app store, at least one of the spyware apps was on Google Play at some point and downloaded more than 10 times.

According to Lookout, KoSpy collects “an extensive amount of sensitive information,” including SMS text messages, call logs, the device’s location data, files and folders on the device, user-entered keystrokes, Wi-Fi network details, and a list of installed apps. 

KoSpy can also record audio, take pictures with the phone’s cameras, and capture screenshots of the screen in use.

Lookout also found some of the spyware apps on the third-party app store APKPure. An APKPure spokesperson said the company did not receive “any email” from Lookout. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Lookout

NIST has selected a backup algorithm called HQC that can provide a second line of defense for general encryption to safeguard internet traffic and stored data from a cyberattack by a future quantum computer.

Last year, NIST published an encryption standard based on a quantum-resistant algorithm called ML-KEM. HQC will serve as a backup defense if quantum computers crack ML-KEM someday.

Both these algorithms are designed to protect stored information and data that travels across public networks.

HQC is not intended to replace ML-KEM, which will remain the recommended choice for general encryption, said Dustin Moody, a mathematician who heads NIST’s Post-Quantum Cryptography project. (NIST)

Related: NIST, Hacker News (ycombinator), Inside Cybersecurity

Israeli-US cybersecurity company Cybereason announced the completion of a $120 million financing round just one week after a dispute with investors put the company on the verge of bankruptcy.

SoftBank Corp., SoftBank Vision Fund 2, and Liberty Strategic Capital led the round. Other current investors will also have the opportunity to participate. (Assaf Gilead / Globes)

Related: Cybereason, PR Newswire, Silicon Angle, FinTech Global, FinSMEs, Tech in Asia, CTech, sdxCentral

Best Thing of the Day: The Beeb to the Rescue

Senior BBC leaders say that the BBC's World Service must be fully state-funded to counter an “aggressive” disinformation drive by Russia around the globe.

Worst Thing of the Day: It's Not Like Critical Infrastructure Cybersecurity Is Important

Industry groups warn that Homeland Security Secretary Kristi Noem's elimination of the Critical Infrastructure Partnership Advisory Council (CIPAC) might jeopardize the critical task of public-private sector cybersecurity information sharing.

Closing Thought