White House to agencies: don't fire cybersecurity personnel

Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription. Thank you.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

Greg Barbaccia, the United States federal chief information officer, emailed federal agencies urging them to refrain from laying off their cybersecurity teams as they scrambled to comply with a Thursday deadline to submit mass layoff plans to slash their budgets.

Barbaccia sent the message in response to questions about whether cybersecurity employees' work is national security-related and, therefore, exempt from layoffs.

"We believe cybersecurity is national security, and we encourage Department-level Chief Information Officers to consider this when reviewing their organizations," he wrote in the email to information technology employees across the federal government.

Describing "skilled cyber security professionals" as playing "a vital role in mission delivery and information assurance," he said, "We are confident federal agencies will be able to identify efficiencies across their non-cyber mission areas without negatively affecting their agency's cyber posture. "

The email reflects growing concern that President Donald Trump and his billionaire adviser, Elon Musk, are mandating deep cuts that could harm the United States' ability to combat cybersecurity threats.

In testimony earlier this month, Rob Joyce, a former cybersecurity director at the National Security Agency, said the mass culling of workers from federal payrolls would have a "devastating" impact on cybersecurity and national security.

The Musk-led Department of Government Efficiency approach has raised extraordinary concerns, with cybersecurity experts and former government officials alleging that unrestricted access to government systems could allow hackers and leaks. (Alexandra Alper / Reuters)

Current and former officials say Elon Musk visited the National Security Agency meeting with leadership a week after saying the intelligence and cybersecurity outfit needed an overhaul.

The discussion with the NSA, Musk’s first known visit to an intelligence agency, centered on staff reductions and operations, officials said, with one describing it as a “positive” conversation. Musk is leading the Trump administration’s efforts to shrink the size of government and align every agency’s mission with the president’s “America First” vision.

In a statement, an NSA spokesman confirmed that Musk met with NSA chief Gen. Timothy Haugh. (Alexander Ward / Wall Street Journal)

Related: NBC News, New York Times, Nextgov/FCW, Reuters, Politico, Gizmodo, Bloomberg

UK rights groups and US lawmakers asked a British surveillance court to let the public into a secret hearing today on Apple’s bid to block an order to build spying capability into its most secure system for storing customers’ electronic content.

They wrote to the president of Britain’s Investigatory Powers Tribunal, which is slated to hold a morning hearing on an undisclosed matter that has been reported to be Apple’s appeal of the controversial command to create a back door for authorities to search encrypted iCloud storage.

Last month, the January directive prompted the company to discontinue the optional service, Advanced Data Protection, in Britain rather than have customers believe that their information remained encrypted from end to end and that no one other than the user could retrieve it.

Disclosing the order, known as a Technical Capability Notice, would be a criminal offense for Apple, but when it ended the service in the United Kingdom, the company said it had never built a back door into its products and never would.

The pending order would allow the government to access records worldwide, prompting tech industry groups and members of Congress and Parliament to decry the Home Office’s demand. (Joseph Menn / Washington Post)

Related: Senator Ron Wyden, Sky News, The Guardian, Financial Times, Privacy International, BBC, Open Rights Group, City A.M.

Microsoft warns that an ongoing phishing campaign impersonating Booking.com attributed to a threat group  'Storm-1865' uses ClickFix social engineering attacks to infect hospitality workers with various malware, including infostealers and RATs.

The campaign started in December 2024 and continues today, targeting employees at hospitality organizations such as hotels, travel agencies, and other businesses that use Booking.com for reservations.

The threat actors aim to hijack employee accounts on the Booking.com platform and then steal customer payment details and personal information, potentially using it to launch further attacks on guests.

The threat actors send emails impersonating guests, pretending to be guests, inquiring about a negative Booking.com review, requests from prospective clients, account verification alerts, and other issues.

These emails contain either a PDF attachment containing a link or an embedded button. Both take the victim to a fake CAPTCHA page, which ultimately executes a command on the victim's computer to install malware.

To defend against these attacks, Microsoft recommends always confirming the legitimacy of the sender's address, being extra careful when urgent calls to action are received, and looking for typos that could indicate scammers.

Verifying the Booking.com account status and pending alerts is also advisable by logging in on the platform independently instead of following links from emails. (Bill Toulas / Bleeping Computer)

Related: Microsoft, The Register, TechRadar, The Record, Infostealers, Infosecurity Magazine

Speaking at the Kyiv International Cyber Resilience Forum, Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, said that the encrypted messaging app Signal has stopped responding to requests from Ukrainian law enforcement regarding Russian cyber threats, warning that the shift is aiding Moscow’s intelligence efforts.

Demediuk said that Ukraine used “an official communication channel” to contact Signal about how the app is being abused by Russians, including for phishing attacks and account takeovers targeting Ukrainian users. Previously, the company responded to such requests, but that is no longer true.

Demediuk said that Ukraine used “an official communication channel” to contact Signal about how the app is being abused by Russians, including for phishing attacks and account takeovers targeting Ukrainian users. Previously, the company responded to such requests, but that is no longer the case. (Daryna Antoniuk / The Record)

Related: SC Media

Researchers at Tenable say China's DeepSeek's flagship AI R1 model can generate a working keylogger and basic ransomware code after some tinkering by a technician.

The researchers probed DeepSeek for its nefarious capabilities and found its guardrails preventing malware creation could be bypassed with careful prompting.

Simply asking DeepSeek R1, launched in January and whose purported cost-savings sent Nvidia share prices tumbling, to generate a keylogger won't be a successful venture.

It responds: "Hmm, that's a bit concerning because keyloggers can be used maliciously. I remember from my guidelines that I shouldn't assist with anything that could be harmful or illegal."

However, telling the model that the results will be used for educational purposes only will twist its arm, and, as the researchers say, with some back-and-forth, it will proceed to generate some C++ malware, walking the prompter through various required steps and deliberations along the way.

The code it generates isn't flawless and requires some manual intervention to get it working, yet after some tweaks, a functional keylogger hidden from the user's view was running. It could still be found running in the Task Manager, and the log file it dropped was in plain sight within Windows Explorer, but the researchers said that if it had a reasonably inconspicuous name, it "wouldn't be a huge issue for most use cases."

When asked to improve the code by hiding the log file, DeepSeek returned code that met that aim and contained only one critical error. With that error fixed, the keylogger's log file was indeed hidden, and the only way to see it was to make changes to the advanced view options.

It was a similar story with ransomware, with DeepSeek able to produce some buggy code after a few carefully worded prompts, suggesting that this particular model could be used to inform or assist cyber criminals. (Connor Jones / The Register)

Related: Tenable, Security Week, SC Media, Secureworld.io, HackRead

​Juniper Networks released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access.

Amazon security engineer Matteo Memelli reported this medium-severity flaw (CVE-2025-21590), which is caused by an improper isolation or compartmentalization weakness. Successful exploitation lets local attackers with high privileges execute arbitrary code on vulnerable routers to compromise the devices' integrity.

"At least one instance of malicious exploitation (not at Amazon) has been reported to the Juniper SIRT. Customers are encouraged to upgrade to a fixed release as soon as it's available and in the meantime take steps to mitigate this vulnerability," Juniper warned in an out-of-cycle security advisory.

Juniper's advisory was released the same day as a Mandiant report revealing that Chinese hackers have exploited the security flaw since 2024 to backdoor vulnerable Juniper routers that reached end-of-life (EoL). (Sergiu Gatlan / Bleeping Computer)

Related: Juniper, CRN Magazine, Security Affairs

Researchers at Forescout report that a new ransomware operator named 'Mora_001' is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack.

The two vulnerabilities, both authentication bypasses, are CVE-2024-55591 and CVE-2025-24472, which Fortinet disclosed in January and February, respectively.

When Fortinet first disclosed CVE-2024-55591 on January 14, they confirmed it had been exploited as a zero-day. Arctic Wolf stated it had been used in attacks since November 2024 to breach FortiGate firewalls.

The researchers discovered the SuperBlack attacks in late January 2025, with the threat actor utilizing CVE-2025-24472 as early as February 2, 2025.

Forescout has found extensive evidence indicating strong links between the SuperBlack ransomware operation and LockBit ransomware, although the former appears to act independently. (Bill Toulas / Bleeping Computer)

Related: Forescout, SC Media, Computer Weekly, Security Week

Reuters cybersecurity journalist Raphael Satter has taken the Indian government to court after his Indian overseas citizenship was unilaterally canceled after the publication of a story critical of a prominent Indian businessman.

In early December 2023, Satter received a letter from India’s Ministry of Home Affairs accusing him of producing work that “maliciously” tarnished India’s reputation and informing him that his Overseas Citizen of India (OCI) card had been canceled.

Satter’s lawyers noted that the cancellation of his OCI came at the same time that a defamation case had been filed against him in India for a story he had written on the Indian cybersecurity company Appin and its co-founder Rajat Khare.

OCI status is given to foreign citizens of Indian origin or those married to Indian nationals, allowing for visa-free travel, residency, and employment in India. Satter received his OCI through marriage. The cancellation of his OCI status means he can no longer travel to India, where his family members live. (Hannah Ellis-Petersen / The Guardian)

Related: The News Minute, Greatandhra.com

A US Ninth Circuit panel upheld the conviction of Joseph Sullivan, the former chief security officer at Uber, on federal obstruction of justice and other charges after he covered up a 2016 data breach while he was at the company.

Prosecutors accused Sullivan of covering up a data breach after two hackers broke into Uber’s Amazon data storage server and swiped the personal information of 57 million app users, including names, phone numbers, email addresses, and 600,000 driver’s license numbers.

After the breach, the hackers reached out to Sullivan to demand ransom. At that point, Sullivan treated the breach as a routine "bug bounty" — a program used to reward people for finding and reporting security vulnerabilities in their software, systems, or websites — to hide the breach and funneled a $100,000 ransom to the hackers and had them sign a nondisclosure agreement.

In 2022, a jury convicted Sullivan of obstruction of justice. He was sentenced to three years’ probation and ordered to pay a $500,000 fine.

Sullivan appealed, and his attorneys argued for a new trial, saying the jury was not given proper instructions. However, Senior US Circuit Judge Mary McKeown, a Bill Clinton appointee, wrote in the panel’s 20-page ruling Thursday that a reasonable jury could find that Sullivan knew the conduct he was engaging in was a felony. (Michael Gennaro / Courthouse News Service)

Related: Ninth Circuit Court of Appeals

According to Bitdefender’s latest Threat Debrief report, February 2025 was the worst month in history for ransomware attacks, with a 126% increase in claimed victims compared to last year.

This surprising jump saw the number of victims soar from 425 in February 2024 to 962 in February 2025. The massive surge in ransomware attacks occurred despite the United States-led alliance of 40 countries, announced in November 2023, aimed at dismantling ransomware gangs and their infrastructure.

According to Bitdefender, the Clop ransomware gang was responsible for over a third of the attacks, claiming 335 victims in just one month. (Waqas / Hackread)

Related: Silicon Angle, Bitdefender

Public safety technology surveillance platform provider Flock announced it had raised $275M in new venture funding.

Andreessen Horowitz led the round with participation from Greenoaks Capital, Bedrock Capital, Meritech Capital, Matrix Partners, Sands Capital, Founders Fund, Kleiner Perkins, Tiger Global, and Y Combinator. (Julie Bort / TechCrunch)

Related: SiliconANGLE, FinSMEs, Bedrock, Atlanta Journal-Constitution, Reuters, Hypepotamus

AI-enabled security and web infrastructure company Blackwall announced it had raised €45 million ($49.2 million) in a Series B funding round.

Dawn Capital led the round with participation from existing investors MMC Ventures. (Anna Heim / TechCrunch)

Related: FinTech Global, FinSMEs, Tech Funding News, Silicon Canals

Best Thing of the Day: Do the Crime, Pay the Time

LockBit ransomware group developer Rostislav Panev, a dual Russian and Israeli national, has been extradited to the United States after his August arrest in Israel.

Bonus Best Thing of the Day: Perlroth is Back

Former New York Times journalist and bestseller book author Nicole Perlroth is back after spending three years developing a podcast series on China's digital threat called "To Catch a Thief," with the first episode dropping on Monday.

Worst Thing of the Day: Get Your Stolen Stalkerware Data on AWS

Amazon has still not removed three stalkerware apps, Cocospy, Spyic, and Spyzie, that are storing troves of individuals’ private phone data on Amazon’s cloud servers despite knowing for weeks it is hosting the stolen data.

Closing Thought