CISA plans to fire 54 employees despite court injunction

Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.

The Department of Homeland Security says it’s proceeding with planned layoffs at the Cybersecurity and Infrastructure Security Agency, despite a recent court order barring workforce reductions across parts of the federal government during the ongoing shutdown.

In a legal filing, CISA Acting Director Madhu Gottumukkala said the agency issued reduction-in-force notices to 54 employees on Oct. 11, roughly two weeks before a federal court issued a preliminary injunction pausing certain layoff activity governmentwide. The listed employees work across CISA’s Stakeholder Engagement Division, which includes branches focused on partnerships, international affairs, and academic outreach.

CISA maintains it is in compliance with the court’s order, saying that no new reduction notices have been issued since the injunction, the October layoffs were planned beforehand, and they involve no union-represented employees.

The injunction barred any layoffs since the Oct. 1 start of the shutdown, but applied only to “competitive areas”— the groupings of employees that agencies must create before engaging in RIFs — that contain members of one of the unions party to the lawsuit. Because CISA did not send layoff notices to any staffing groups that contained such union-represented workers, the agency argued it can proceed with the cuts.

In a table shown in Gottumukkala’s filing, affected division employees are marked with a “No” in a column that displays “Covered by Injunction.” The declaration appears to account only for the 54 layoffs within CISA’s Stakeholder Engagement Division. However, other employees in other CISA divisions were also affected by shutdown layoffs.

In a statement to Nextgov/FCW, CISA Director of Public Affairs Marci McCarthy said that “the agency does not comment on pending litigation and the government’s filings speak for themselves.” (David DiMolfetta / NextGov/FCW)

Related: Federal News Network, Court Listener, Court Listener

Google’s Threat Intelligence Group (GTIG) underscored that threat actors are incorporating AI technology into their attack chains by revealing that it has observed new and interesting ways in which malware has been leveraging artificial intelligence, going beyond mere productivity gains.

For some time now, cybercriminals and state-sponsored threat actors have been leveraging AI to develop and enhance malware, plan attacks, and create social engineering lures.

The cybersecurity industry has also observed and demonstrated the potential for malware to utilize AI during execution.

Google researchers have come across several pieces of malware that use AI during an attack. While some of them have been described as “experimental threats”, such as an earlier piece of researcher-derived malware called PromptLock, others have been used in the wild.

Another experimental AI-powered malware seen by Google is PromptFlux, a dropper that can “regenerate” itself by rewriting its code and saving the new version in the Startup folder for persistence.

“PromptFlux is written in VBScript and interacts with Gemini’s API to request specific VBScript obfuscation and evasion techniques to facilitate ‘just-in-time’ self-modification, likely to evade static signature-based detection,” GTIG researchers explained.

One of the pieces of malware seen in the wild is FruitShell, a reverse shell written in PowerShell that enables arbitrary command execution on compromised systems. The malware includes hardcoded AI prompts designed to bypass detection and analysis by AI-powered security solutions.

Another malware family highlighted by GTIG is PromptSteal, a Python-based data miner that leverages the Hugging Face API to query the Qwen2.5-Coder-32B-Instruct LLM in order to generate one-line Windows commands for collecting system data and documents from specific folders.

The last example highlighted by Google is QuietVault, a credential stealer developed in JavaScript designed to collect NPM and GitHub tokens. The malware uses an AI prompt and AI command-line interface tools installed on the compromised host to look for other secrets on the system.

The company also warns that the underground marketplace for AI tools is maturing. Its researchers have seen multifunctional tools designed for malware development, phishing, and vulnerability research. (Eduard Kovacs / Security Week)

Related: The Keyword, Google Cloud, Google, National CIO Review, SDX Central, IT News, Silicon Angle, The Register, CSO Online, Ars Technica

A government investigation revealed KT Corp., South Korea's second-largest mobile carrier, was found to have concealed critical malware infections and failed to report the security breaches that led to a recent hacking and data theft incident.

The joint government-private investigation team, which is examining KT's recent cyberattack linked to illegal micro base stations, said the company learned between March and July of 2024 that 43 of its servers had been infected with so-called BPFDoor malware and other malicious code.

Despite detecting the infections, which exposed customer data, the company did not notify authorities and instead attempted to handle the issue internally, according to the team.

BPFDoor malware enables remote attackers to bypass firewalls and maintain long-term access to compromised systems. It was also used in a separate hacking case involving industry leader SK Telecom Co., reported earlier this year.

Investigators confirmed that the infected KT servers contained customers' personal information, including names, phone numbers, and email addresses, as well as international mobile equipment identity (IMEI) data.

The team said it regards the concealment as being of "grave concern" and plans to work with relevant authorities to determine proper legal measures. (Kang Yoon-seung / Yonhap News Agency)

Related: Chosun Biz, The Chosun

A cache of previously unreported documents shows that for at least three years, Meta failed to identify and stop an avalanche of ads that exposed Facebook, Instagram, and WhatsApp’s billions of users to fraudulent e-commerce and investment schemes, illegal online casinos, and the sale of banned medical products.

On average, one December 2024 document notes, the company shows its platforms’ users an estimated 15 billion “higher risk” scam advertisements – those that show clear signs of being fraudulent – every day. Meta earns about $7 billion in annualized revenue from this category of scam ads each year, another late 2024 document states.

Much of the fraud came from marketers acting suspiciously enough to be flagged by Meta’s internal warning systems. But the company only bans advertisers if its automated systems predict the marketers are at least 95% certain to be committing fraud, the documents show.

If the company is less certain but still believes the advertiser is a likely scammer, Meta charges higher ad rates as a penalty, according to the documents. The idea is to dissuade suspect advertisers from placing ads. The documents further note that users who click on scam ads are likely to see more of them because of Meta’s ad-personalization system, which tries to deliver ads based on a user’s interests.

The details of Meta’s confidential self-appraisal are drawn from documents created between 2021 and this year across Meta’s finance, lobbying, engineering, and safety divisions. Together, they reflect Meta’s efforts to quantify the scale of abuse on its platforms – and the company’s hesitancy to crack down in ways that could harm its business interests. Meta’s acceptance of revenue from sources it suspects are committing fraud highlights the lack of regulatory oversight of the advertising industry, said Sandeep Abraham, a fraud examiner and former Meta safety investigator who now runs a consultancy called Risky Business Solutions.

In a statement, Meta spokesman Andy Stone said the documents seen by Reuters “present a selective view that distorts Meta’s approach to fraud and scams.” (Jeff Horwitz / Reuters)

Related: CollectiveMetrics.org, Wired

Hyundai AutoEver America is notifying individuals that hackers breached the company's IT environment and gained access to personal information.

The company discovered the intrusion on March 1, but the investigation revealed that the attacker had access to the systems since February 22nd.

Hyundai AutoEver America (HAEA) is an affiliate of Hyundai Motor Group that provides IT consulting, managed services, and helpdesk support for the entire lifecycle of automotive IT from production to retirement.

“On March 1, 2025, HAEA became aware of a cyber incident that impacted our information technology environment,” according to a notification sent to impacted individuals.

“Upon discovery, we immediately launched an investigation with the support of external cybersecurity experts to assess the scope of the incident, confirm containment, and identify any affected information,” the company says.

“HAEA also worked with law enforcement. Through our investigation, we determined that the unauthorized activity appears to have begun on February 22, 2025, and the last observed unauthorized activity occurred on March 2, 2025.”

Regarding the types of information exposed, the letter sample only mentions names, but the Massachusetts government portal also lists Social Security Numbers (SSNs) and driver’s licenses.

It is unclear if the breach impacts only employees or customers/users as well, and how many people were impacted specifically. (Bill Toulas / Bleeping Computer)

Related: California Office of Attorney General, GBHackers

A Chinese court has sentenced five top members of an infamous Myanmar mafia to death as Beijing continues its crackdown on scam operations in Southeast Asia.

In all, 21 Bai family members and associates were convicted of fraud, homicide, injury, and other crimes, said a state media report published on the court website.

The family is among a handful of mafias that rose to power in the 2000s and transformed the impoverished backwater town of Laukkaing into a lucrative hub of casinos and red-light districts.

In recent years, they pivoted to scams in which thousands of trafficked workers, many of them Chinese, are trapped, abused, and forced to defraud others in criminal operations worth billions.

Mafia boss Bai Suocheng and his son Bai Yingcang were among the five men sentenced to death by the Shenzhen Intermediate People's Court. Yang Liqiang, Hu Xiaojiang, and Chen Guangyi were the other three.

Two members of the Bai family mafia were handed suspended death sentences. Five were sentenced to life imprisonment, while nine others were given jail sentences ranging from three to 20 years.

The Bais, who controlled their own militia, established 41 compounds to house their cyberscam activities and casinos, authorities said.

These criminal activities involved more than 29 billion Chinese yuan ($4.1bn; £3.1bn). They also led to the deaths of six Chinese citizens, the suicide of one, and multiple injuries, state media reported. (Koh Ewe / BBC News)

Related: The Record, Protos, ABC.net.au, South China Morning Post, CBS News, The Irrawaddy

A ransomware attack on Nevada government systems, which was discovered in August, occurred as early as May when a state employee mistakenly downloaded malicious software, and cost at least $1.5 million to recover, according to an after-action report the state released.

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly — without paying criminals,” Gov. Joe Lombardo said in a statement announcing the report. “This is what disciplined planning, talented public servants, and strong partnerships deliver for Nevadans.”

Nevada officials maintain the state did not pay the ransom, the amount of which was not disclosed. The attacker has yet to be identified, and the incident is still under investigation.

The attack against Nevada was a “fairly large ransomware against a state,” according to Gregory Moody, director of cybersecurity programs at UNLV. This attack was able to spread through the state more quickly because of the decentralized nature of Nevada’s cyber systems, he said.

Nevada’s response time was good compared to others, he said. It typically takes between seven and eight months to discover an attacker in a system, and Nevada officials caught it faster than is usual, Moody said.

The attack cost 4,212 in overtime hours – or about $211,000 in direct overtime wages – and $1.3 million for help from contractors, according to the report. The $1.3 million was paid for by the state’s cyber insurance, according to the governor’s office.

The cost could have been much higher, Moody said. When a data breach targeted the Las Vegas-based MGM Resorts in 2023, it was expected to cost the casino giant more than $100 million. (Jessica Hill / Associated Press)

Related: Nevada Governor Joe Lombardo, Government Technology, This Is Reno, Las Vegas Sun, MyNews4, Las Vegas Review-Journal, KTNV

Approximately 850 electric buses operating in Norway can be fully controlled from China, according to a secret test conducted by the public transport authority.

More than 1,350 Chinese electric buses are in operation throughout Norway. Around 850 of these are from Yutong, one of China's largest electric bus manufacturers, as reported by the portal "piataauto." Recently, Ruter, the public transport operator responsible for the capital Oslo, and its surrounding area, conducted a secret test in a disused underground mine. 

The aim was to investigate the cybersecurity of the Chinese and Western buses operated by Ruter. The Dutch bus did not pose a cybersecurity risk.

Ruter informed the Norwegian Ministry of Transport of these findings. For buses purchased from now on, procedures to eliminate these risks will be established. (Jenny-Natalie Schuckardt / Focus Online)

Related: Ruter

SonicWall's investigation into the September security breach that exposed customers' firewall configuration backup files concludes that state-sponsored hackers were behind the attack.

The network security company says that incident responders from Mandiant confirmed that the malicious activity had no impact on SonicWall's products, firmware, systems, tools, source code, or customer networks.

“The Mandiant investigation is now complete. Their findings confirm that the malicious activity – carried out by a state-sponsored threat actor - was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call,” SonicWall states.

More recently, on October 13, Huntress reported seeing elevated malicious activity targeting SonicWall SSLVPN accounts and successfully compromising over a hundred of them using valid credentials.

Huntress did not find any evidence connecting these attacks to the September firewall configuration files exposure. (Bill Toulas / Bleeping Computer)

Related: SonicWall, Security Affairs, Security Week, TechRadar

According to a cybersecurity researcher operating under the pseudonym "Gootloader," the Gootloader malware loader operation has returned after a 7-month absence and is once again performing SEO poisoning to promote fake websites that distribute the malware.

Gootloader is a JavaScript-based malware loader spread through compromised or attacker-controlled websites, used to trick users into downloading malicious documents.

The websites are promoted in search engines either via ads or through search engine optimization (SEO) poisoning, which ranks a website higher in the results for a particular keyword, like legal documents and agreements.

In the past, these websites would display fake message boards that pretended to discuss users' queries, with some posts recommending (malicious) document templates that could be downloaded. The SEO campaigns later switched to using websites that pretend to offer free templates for various legal documents.

"Gootloader" has been tracking and actively disrupting the malware operation for years by filing abuse reports with ISPs and hosting platforms to take down attacker-controlled infrastructure.

The researcher told BleepingComputer that his activities led to the Gootloader operation suddenly ceasing on March 31st, 2025.

The researcher and Anna Pham of Huntress Labs now report that Gootloader has returned in a new campaign that once again impersonates legal documents.

"In this latest campaign, we've observed thousands of unique keywords spread over 100 websites," reads a new blog post by the Gootloader researcher. "The ultimate goal remains the same: convince victims to download a malicious ZIP archive containing a JScript (.JS) file that establishes initial access for follow-on activity — usually leading to ransomware deployment." (Lawrence Abrams / Bleeping Computer)

Related: Gootloader Details

Researchers at ESET report that Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue source.

The attacks occurred in June and September and continue Sandworm's (also known as APT44) string of destructive operations in Ukraine.

ESET's new report covers advanced persistent threat (APT) activity between April and September 2025 and presents several cases of wipers deployed in Ukraine, some of them targeting the country’s grain production.

This is a new development, as attackers are now focusing on Ukraine’s vital economic sector, as grain exports are the primary, source of income, especially during the war.

“In June and September, Sandworm deployed multiple data-wiping malware variants against Ukrainian entities active in the governmental, energy, logistics, and grain sectors,” explains ESET.

“Although all four have previously been documented as targets of wiper attacks at some point since 2022, the grain sector stands out as a not-so-frequent target.”

“Considering that grain export remains one of Ukraine’s main sources of revenue, such targeting likely reflects an attempt to weaken the country’s war economy.”

APT44 also deployed ‘ZeroLot’ and ‘Sting’ wipers in April 2025, targeting a university in Ukraine. Sting was executed through a Windows scheduled task named after the traditional Hungarian dish goulash. (Bill Toulas / Bleeping Computer)

Related: We Live Security, Help Net Security

Researchers at Proofpoint report that a previously unknown cyber actor targeting academics and foreign policy experts between June and August 2025 has been identified as UNK_SmudgedSerpent by cybersecurity researchers.

The group targeted individuals focused on Iran and global political developments, initiating contact through seemingly harmless conversations before attempting to steal credentials and deliver malware.

This activity combined techniques typically seen across multiple Iranian-linked threat groups, yet did not align cleanly with any single one. Proofpoint said the cluster shares traits with TA453, TA455, and TA450, but the overlaps are not strong enough for definitive attribution.

Though the group’s timing aligned with heightened Iran–Israel tensions, Proofpoint found no direct connection to those events.

Instead, researchers suggested possible explanations for the tactical overlap, ranging from shared infrastructure procurement to personnel movement between Iranian contracting outfits. The blending of lure styles, infrastructure, and malware across known clusters further complicates attribution.

“The appearance of a new actor with borrowed techniques suggests there may be personnel mobility or exchange between teams, but with a consistent remit; however, there is no confirmed attribution for UNK_SmudgedSerpent at the time of writing,” Proofpoint said. (Alessandro Mascellino / Infosecurity Magazine)

Related: Proofpoint, Dark Reading

US District Judge Robert Lasnik reimposed a sentence on Paige Thompson, the former Amazon Web Services engineer convicted in the 2019 Capital One data breach that compromised the personal information of more than 100 million people.

He sentenced Thompson to time served, plus five years of supervised release with three years of home confinement, and 250 hours of community service. The judge also maintained the original $40.7 million restitution order.

The resentencing, issued last week, follows a Ninth Circuit Court of Appeals decision that vacated Thompson’s original 2022 sentence after prosecutors appealed the original sentence as too lenient.

Lasnik acknowledged his “poor job of articulating the reasons” for the original sentence but maintained that imprisonment would be “greater-than-necessary punishment” after analyzing all legally required sentencing factors. (Greg Otto / CyberScoop)

Best Thing of the Day: Casting a Spotlight on the Power of Cloud Giants

In the wake of high-profile cloud company outages, watchdog groups are calling on federal regulators to scrutinize the role that massive cloud companies like Amazon and Microsoft play in owning and maintaining much of our collective backend IT infrastructure.

Worst Thing of the Day: Times Are Getting Tougher for CISOs

80% of CISOs say they’re under high or extreme pressure right now, 73% have already faced a significant cyber incident in the past six months, and over half say they’re personally blamed when breaches occur.

Closing Thought