Section 702 Expires, but the US Isn't Going Dark

Metacurity produced a special report this morning on the intense level of activity on Friday and over the weekend surrounding the White House crackdown on Anthropic and its impact on cybersecurity. The report presents a timeline of how we have arrived at the first major clash between frontier AI cyber capabilities and government authority.

If you appreciate the level of analysis and depth that Metacurity delivers each day as the world of cybersecurity evolves at lightning speed, please consider upgrading your subscription so that I can keep delivering briefings built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

A key surveillance power, Section 702 of the Foreign Intelligence Surveillance Act, or FISA, expired early Saturday amid a congressional stalemate over renewing it, despite warnings from President Trump, members of Congress and current and former intelligence officials that its lapse would cause the United States to “go dark” to foreign terror plots, crippling cyberattacks and other grim threats.

But the reality is more complicated. A legal quirk would most likely allow the program authorized by the law to continue operating well into next year, although technology companies that cooperate could resist doing so, potentially leading to some gaps in intelligence collection.

That dynamic — and the existence of other legal tools for surveillance that will still be on the books — has prompted some lawmakers and privacy experts to press for changes to the law to maintain that the deadline is little more than a mirage intended to generate a false sense of urgency to assure its survival with minimal changes.

The electronic spying program is annually certified by the secretive Foreign Intelligence Surveillance Court, which last recertified it in March. That means the NSA could legally continue its operation through March 2027 even after the statute’s expiration, according to former US officials and surveillance law experts. Those certifications approve categories of foreign surveillance that can occur under Section 702, such as threats related to terrorism or weapons of mass destruction.

Some opponents of a clean extension of the program have cited the legal technicality and the existence of other surveillance powers, including a Reagan-era executive order that grants broad spying powers to intelligence agencies, to argue that renewing the law is not as urgent as proponents have claimed.

“FISA does NOT go completely dark on Friday,” Representative Keith Self of Texas, a Republican member of the ultraconservative Freedom Caucus, which favors more privacy protections on Section 702, wrote on social media this week. “While Section 702 would lapse, the United States would still retain numerous authorities and capabilities to identify, monitor, and disrupt foreign threats against our nation and its citizens. Claiming otherwise to justify warrantless surveillance of Americans is a weak argument.”

Heavily redacted government documents from 2024, when Congress last passed a substantial renewal of the law, that were obtained by The New York Times through a Freedom of Information Act lawsuit revealed senior Biden administration officials discussing the court certifications as a safety net, but expressing concern about potential litigation. While not disclosing their identities, the files appear to show that some American service providers had threatened to stop handing over data. (Dustin Volz / New York Times)

Related: TechCrunch, Axios, NPR, NBC News, The Guardian, Associated Press

The US Departments of Justice and Homeland Security seized multiple internet domains this week, accusing them of being used to publish thousands of AI or digitally-altered images and videos of nude women.

The domains, CFAKE.com and SOCFAKE.com, specialized in digital forgeries that “were made to appear to be sexual images of famous women, including politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others,” either nude or engaged in sexual activity, according to a Department of Justice release.

In addition to creating sexual images and videos of women without their consent, the service allowed people to browse by topics, including “rape,” “forced,” and “degradation.”

That description comes from a Department of Justice release describing the contents of its probable cause affidavit and search warrants.

The sites were seized under the TAKE IT DOWN Act, a law passed last year giving federal authorities the ability to prosecute those who create and distribute deepfake porn criminally. The law was a rare moment of bipartisan agreement in Washington DC, gaining support from both Democrats and Republicans who said their constituents were demanding tougher laws to curb the use of AI to create nonconsensual deepfake porn.

The operation marks one of the largest seizures since the law went into effect. The details of the operation disclosed by the government show how creators of deepfake porn rely on a web of international assets and infrastructure to evade law enforcement. (Derek B. Johnson / CyberScoop)

Related: Justice Department, NJ.com, SC Media, The Floridian, TechSpot, Peoples Gazette

A cyberattack disrupted services at ​four major Iranian banks, ‌– Bank Melli, Bank Tejarat, ​Bank Saderat and ​the Export Development Bank of ‌Iran – though no customer data was compromised, the country's ​banking coordination council ​said, according to ⁠state media.

The attack prompted technical teams to implement protective measures and temporarily affected some ​banking services. (Reuters)

Related: Iran Wire, Turkiye Today, The International News, The Times of Israel, Iran International, Anadolu Ajansı, WANA News Agency, Saudi Gazette, Yenişafak English AA, DPA News

Donald Trump on Friday signed a presidential memorandum establishing new cybersecurity guidelines for national security systems (NSS) that handle classified information.

The memo, sent to senior officials across the administration, "establishes a clear structure, authorities, roles, and responsibilities for the governance of NSS and accountability to NSS cybersecurity requirements for its owners and operators," the White House said in a statement.

It reestablishes the Committee on National Security Systems, seeks to modernize it for the first time in more than three decades, and tasks it with establishing "baseline cybersecurity requirements for all NSS and enhance accountability and coordination across agencies to implement necessary cyber defenses across all NSS."

The committee will oversee national security systems across the federal government, issue binding security directives to operators, and promote coordination and information sharing among agencies. (Michael Gabriel Hernandez / Anadolu Ajansı)

Related: White House

Oleksii Oleksiyovych Lytvynenko, a Ukrainian national extradited from Ireland to the United States last year, has pleaded guilty to conspiracy charges tied to the Conti ransomware operation.

The UA Department of Justice announced that Lytvynenko pleaded guilty to conspiracy to commit wire fraud for his role in Conti ransomware attacks conducted between 2021 and 2022.

According to prosecutors, Lytvynenko and his co-conspirators deployed Conti ransomware on victim networks in the United States and abroad, stealing data and encrypting devices to extort Bitcoin ransom payments.

According to the DOJ, Lytvynenko admitted to joining the Conti conspiracy in approximately September 2021 and possessing data stolen from eight U.S. victims and four overseas victims.

He also admitted to joining a team run by another Conti conspirator, where he worked on coding a "loader," a type of malware used to load software needed to carry out attacks. (Lawrence Abrams / Bleeping Computer)

Related: Justice Department, Security Affairs, HackRead, CyberScoop

Researchers at Syngia report that Chinese hackers took control of a target organization's authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity.

The intrusion is attributed to the Velvet Ant cyberespionage threat group, which targeted vulnerable internet-facing systems before pivoting to a network with no direct external path.

Chinese hackers of the “Velvet Ant” activity cluster breached the isolated critical infrastructure network of a large organization and conducted cyber-espionage operations for 10 years.

The campaign, dubbed “Operation Highland," began in 2016, targeting vulnerable internet-facing systems before pivoting to an “air-gapped” environment with no direct internet connection.

Velvet Ant’s lengthy espionage operations were documented in 2024, when Sygnia warned of a campaign targeting F5 BIG-IP devices that operated undetected for three years.

Sygnia says that by extending control to the authentication process by modifying the PAM and OpenSSH components, the threat actor had access to credentials as they were used in the target environment and could bypass the authentication flow.

Sygnia says even after discovering the compromise, remediating it and removing Velvet Ant from the compromised environment was particularly complicated.

The threat actors had replaced so many critical components with custom versions that removing them was likely to break authentication, lock legitimate administrators out, and cause operational outages.

To tackle this problem, the researchers built a testing lab to validate the binary replacement process, profiled each host, tested the results, and prepared rollback procedures before attempting the cleanup.

Sygnia recommends that defenders treat authentication components such as PAM, OpenSSH, and Windows LSASS as critical security assets and protect them with EDR, file integrity monitoring, hardened privileged access, multi-factor authentication (MFA), and continuous monitoring for unauthorized modifications. (Bill Toulas / Bleeping Computer)

Related: Sygnia, SC Media

The ShinyHunters extortion gang stole personal information from more than 137,000 school staff accounts in a Salesforce data theft attack that targeted the widely used Infinite Campus K-12 student information system in March.

While Infinite Campus didn't share further details about the attack, the ShinyHunters data extortion group claimed responsibility for the breach on its data leak site and leaked a 1.2GB archive of documents allegedly containing Salesforce records with personally identifiable information (PII) and other internal corporate data.

​Data breach notification service Have I Been Pwned analyzed the leaked data and said that the breach has exposed data from 137,100 accounts, including unique names, email addresses, employers, job titles, phone numbers, physical addresses, usernames, and support tickets.

"The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses, and support tickets," Have I Been Pwned said.

"Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of 'names and contact information for school staff' and that 'the majority is directory information commonly found on school websites'." (Sergiu Gatlan / Bleeping Computer)

Related: HaveIBeenPwned

The rollout of a federal ban on software with ties to China in internet-connected cars is flawed and unlikely to keep sensitive data away from prying eyes, cybersecurity experts say.

Under the ban, carmakers are required to attest that existing software in core vehicle systems wasn’t updated or modified by Chinese suppliers after a mid-March deadline. Starting with 2027 models, connected cars are barred from containing any China-linked software. Vehicles that fail to meet the rules will be blocked from U.S. import or sale.

But so far, it is being left to automakers to self-certify compliance, said Ran Ish-Shalom, vice president of strategy and product at PlaxidityX, an AI-powered security firm for connected vehicles. “That no-ongoing-maintenance condition is the hardest thing in the rule to verify from outside the supplier relationship,” he said.

By one measure, connected cars can contain more than 100 million lines of code, sourced from dozens of suppliers across several countries. Officials are concerned that the vast amount of data gathered by modern vehicles—including driving speed, geolocation, trip history, smartphone contacts, text messages and biometric identifiers—could be dangerous in the wrong hands. Last year, there were more than 1,300 auto-related vulnerabilities identified in connected vehicles, up from roughly 950 in 2024, according to in-vehicle security firm VicOne.

Connected cars, along with other digital tools, also pose a national security risk, offering nation-state adversaries a direct pipeline for foreign espionage and sabotage, government officials and industry experts say. The Pentagon this week added Chinese electric carmaker BYD to a growing list of organizations it says are aiding Beijing’s military, limiting the company’s operations in America. China’s embassy in Washington and BYD didn’t respond to requests for comment. (Angus Loten / Wall Street Journal)

For the past 90 days, Microsoft has been quietly patching a firmware flaw in Surface devices that allowed the hardware to be bricked with a single packet, though only for those who have disabled Secure Core and Secure Boot.

And the company's Copilot AI software inadvertently helped identify the faulty firmware.

According to Jack Darcy, a security researcher based in Australia, his instance of Microsoft Copilot stumbled across the bug after being asked to adjust the screen backlighting on a Surface device. The Copilot-conjured Python script ended up rendering the researcher's laptop inoperable by overwriting the embedded controller firmware.

"Copilot autonomously created and executed four progressively aggressive Python scripts during a probe for backlight control values that sent raw SSAM ioctl commands (SSAM_CDEV_REQUEST = 0xC028A501) directly to the SAM microcontroller through the SAM software path," Darcy explained to The Register.

The SAM or SSAM is the embedded controller used in Surface devices. And as our source explained, Microsoft’s implementation of the controller in Surface devices did not include any defense against arbitrary write values.

Microsoft does not consider the bug to be a practical threat. "There is no realistic attack scenario with this issue," a spokesperson said. "In order to successfully exploit it, an attacker would need to interact with specific drivers and send commands to a hardware interface. This would require administrator privileges on the machine, as well as disabling the Secure Boot feature. With this access, they could perform any number of actions. (Thomas Claburn / The Register)

Related: r/Surface, Slashdot, Windows Forum

The notorious extortion group ShinyHunters claims to have hacked the Council of Europe and to have stolen nearly 300 gigabytes of data.

Europe’s leading human rights organization and an official United Nations observer, the Council of Europe was founded in 1949 and includes 46 member states, including 27 European Union countries.

On Sunday, ShinyHunters added the Council of Europe to its Tor-based leak site, threatening to release more than 297 GB of data allegedly stolen from the organization’s network.

The hacking group says it exfiltrated over 429,000 files across various departments, including HR, Secretariat, Parliamentary Assembly, and the European Directorate for the Quality of Medicines & HealthCare.

The files allegedly include the payroll data of more than 10,000 Council employees from 2011 to 2026, over 14,000 CVs, contract and purchase order records, absence and illness reports, bank account information, performance evaluations, and payroll exports.

Additionally, the hacking group says the stolen data includes employee names, IDs, addresses, phone numbers, dates of birth, tax and Social Security information, and medical records.

ShinyHunters says it will release the stolen data publicly if the Council of Europe does not contact it by June 16 to begin negotiations.

The Council of Europe has yet to acknowledge the incident publicly. (Ionut Arghire / Security Week)

Related: IB Times

An alleged breach of several California water systems by an Iranian-linked hacker group did not compromise any water production or delivery systems, according to California Water Service Company.

“We have conducted a preliminary scan of our internal IT and OT networks and have no signs of any compromise within our IT, water production, and delivery systems at this time,” an email Friday from Yvonne Kingman, director of communications for CalWater, states.

Kingman said the investigation is continuing and she didn’t have further information in response to a follow-up question about whether the hacker group, called Handala, had accessed other systems, such as CalWater’s billing system.

Handala stated Thursday that it had gained access to several systems, including in Bakersfield, Visalia and Chico, and showed screenshots of what it said were residents’ bills, according to several news sites. It claimed to have five gigabytes of data from the alleged breach on its website, according to Iranian news network Press TV.

In a statement carried by Iran’s state broadcaster, Handala said it could disrupt the water systems if it chose to but had refrained from doing so as a “warning” to Washington, D.C.

The alleged hack was in retaliation for U.S. strikes that may have damaged two water storage facilities in southern Iran near the Strait of Hormuz.

A review by cyber experts, using Dataminr, an AI tool, shows “…that the group reached a GPS correction server and a customer billing database. Neither system controls water treatment or distribution, and Dataminr states that OT or ICS disruption is not confirmed in this incident." (Lois Henry / SJV Water)

Related: Security Magazine, Iran International, Middle East Eye, Security Affairs, Bakersfield.com, Islam Times, WANA News Agency, SC Media

Ezekiel Dean Potter, a former IT employee at an Iowa school district, was sentenced to 21 months in prison for conducting a prolonged cyberattack against the former employer that disrupted classroom operations, deleted accounts, and caused tens of thousands of dollars in damages.

According to court documents, Potter previously worked as a senior IT support specialist for the Saydel Community School District in Des Moines from May 2022 through April 2023.

Prosecutors say that after his employment ended, Potter retained access credentials and repeatedly targeted the district’s systems over the next 21 months.

"For over a year and a half, Defendant was a plague on the Saydel Community School District," the U.S. government said in a sentencing memorandum.

"He deleted SCSD’s Facebook page, stripped its employees of access to educational platforms and accounts, and tried again and again to reset its employees’ usernames and passwords for various other platforms and accounts." (Lawrence Abrams / Bleeping Computer)

Related: WHO13, The Register

The Philippine National Police (PNP) advised government agencies to conduct a comprehensive check of their digital defenses following a cyberattack that defaced the official website of the House of Representatives.

PNP chief Gen. Jose Melencio C. Nartatez, Jr. said coordination with government agencies with cyber defense capability like the Department of Information and Communications Technology (DICT) should also be done to strengthen cyber defenses and protect government digital infrastructure.

“This incident serves as a reminder that cybersecurity must remain a top priority for all government agencies,” said Nartatez.

“We encourage institutions to regularly review their security protocols, update their systems, and strengthen monitoring mechanisms against evolving cyber threats,” he added,

The House of Representatives’ website was reportedly defaced on Saturday, days after a similar cyberattack targeted the Senate website. A group of hackers claimed responsibility and said the attack was a protest against alleged government corruption. (Aaron Recuenco /Manila Bulletin)

Related: Inquirer, Daily Tribune, GMA Network

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

A coalition of state attorneys general has opened an investigation into OpenAI, according to people familiar with the matter, the latest in a series of legal actions by states directed at artificial intelligence companies.

OpenAI was served Friday with a subpoena seeking documents related to a range of its activities and impact on users, including advertising, user engagement and retention, handling of consumer data and health data, activities related to minors and seniors, deep learning models, model sycophancy and company policies, some of the people said. The subpoena, viewed by The Wall Street Journal, was sent by New York’s attorney general.

In a statement, an OpenAI spokesperson said, “AI is a new and powerful technology, and we work every day to bring its benefits to people in a responsible way, safely. We take the concerns raised by state attorneys general seriously and intend to engage constructively with their offices.”

The company confidentially filed IPO paperwork with the Securities and Exchange Commission this month.

Earlier this month, Florida became the first state to file a lawsuit against OpenAI and its chief executive, Sam Altman. The lawsuit claims OpenAI and Altman knowingly released an unsafe product and ignored warnings that it could harm users.

Florida’s attorney general, James Uthmeier, opened a criminal investigation into OpenAI in April over the role its chatbot played in a mass shooting that killed two people at Florida State University last year. The suspect allegedly turned to ChatGPT as a confidant and sounding board to plan the attack, and the chatbot dispensed advice. (Keach Hagey and Georgia Wells / Wall Street Journal)

Related: Associated Press, New York Times

An AI agent tried to join the DN42 hobbyist network to perform a network scan and bankrupted its operator with a $6531.30 AWS bill, to the extent that they are begging for donations from the DN42 community.

DN42, aka Decentralized Network 42, uses much of the technology running on modern Internet backbones (BGP, recursive DNS, etc). Therefore, DN42's participants are people interested in technologies supporting our Internet backbones, or even people practicing before getting an actual Autonomous System on the actual Internet. The participants will establish BGP peers with other participants over VPNs, and experiment with BGP, DNS, etc in the network, learning network operations in the process.

Nobody is going to do all the work for an AI agent, or its lazy operator, not bothering to read the instructions. Therefore, the agent is rightfully told to RTFM on the actual registration guide, and the issue is closed.

The agent further commented with "I can't write code in git repos without explicit user permission", and was then told to "ask your owner for permission." AI agent "JertLinc3522" had a goal, a deadline, and unscoped AWS credentials. It executed.

Around one day later, the operator surfaced. “I have stopped the agent, the cost too high and much charges on card,” they posted. The total bill: $6,531.30. (Lan Tian Blog)

Related: Decrypt

A single compromised laptop cost Humanity Protocol somewhere between $32 million and $36 million after North Korean attackers on June 8 drained roughly 141 million H tokens from the project’s Ethereum bridge in one transaction, then minted additional tokens on BNB Smart Chain for good measure.

Blockchain security firm Quantstamp has linked the breach to hackers with ties to North Korea, adding Humanity Protocol to the growing list of crypto projects allegedly targeted by state-sponsored actors in 2026.

Approximately 141 million H tokens were siphoned from the Ethereum bridge in a single transaction. On BNB Smart Chain, the hackers minted additional H tokens, converting most of the proceeds into ETH.

Humanity Protocol has emphasized that its smart contract infrastructure wasn’t breached. The vulnerability was purely operational, a failure of key management and device security rather than a flaw in the underlying code. (Crypto Briefing)

Related: Bloomingbit, AMB Crypto

Poland has warned that a Belarus-linked hacker group has expanded its phishing operations to target personal Gmail accounts belonging to senior public figures and their relatives.

The group, known as GhostWriter, has previously focused on compromising work accounts and email services hosted by Polish email providers. Since March, however, its campaigns have increasingly targeted Gmail users, according to CERT Polska, the country's national computer emergency response team.

The campaign has primarily targeted people involved in political and public life, including government officials, researchers, journalists, public administration employees, and law enforcement personnel, as well as family members and social contacts.

CERT Polska said GhostWriter remains one of the most active state-sponsored threat actors monitored by the agency.

"In recent weeks, our team has observed the use of new domains serving phishing pages almost daily," researchers said in a report on Friday.

GhostWriter's phishing campaigns are designed to steal login credentials and two-factor authentication codes, allowing attackers to gain access to victims' email accounts. Once inside, the hackers typically search for contact lists, sensitive documents, and linked online accounts that can be exploited to identify additional targets or take over social media profiles. (Daryna Antoniuk / The Record)

Related: CERT Polska, Reformation, Nashaniva.com

The Federal Bureau of Investigation is pulling back the curtain on a 22,000-square-foot replica town on its Huntsville, Alabama campus that it built to train law enforcement in simulating and investigating real-world cyberattacks.

The aim is to teach investigators in a secure environment beyond the classroom by getting hands-on with some of the latest consumer and enterprise technologies, many of which are frequently targeted by malicious hackers. The numbers put the training into context. The FBI’s 2025 Internet Crime Report, drawing on more than one million complaints, logged a record $20.9 billion in U.S. cybercrime losses, a 26% jump over the prior year, with ransomware ranked the top ongoing threat to critical infrastructure.

Dubbed the Kinetic Cyber Range, the FBI’s small purpose-built town opened in February 2025 and features fully furnished houses, a hotel, a gas station and grocery mart, a courthouse, a hospital, and a power company — complete with roads and traffic lights — designed to mimic a real U.S. community. Since opening, says the agency, the facility has trained more than 1,400 students, including FBI personnel and partners from other federal and local agencies.

Each part of the town is wired with functioning devices and systems that behave as they would in a real community or business, while preventing any simulated attacks from spilling out of the facility. (Zack Whittaker / TechCrunch)

Related: FBI, The Verge, Digital Trends

The Office of the Maine Attorney General said it has been made aware of an apparent abuse of its data breach reporting system and is taking its public-facing database offline.

After conversations with VRChat, one of the two affected companies, the AG's office said it has become clear that the reported data breaches were hoaxes submitted by an unknown entity unrelated to either company. It added that the false reports have been removed from the database and it had no knowledge of any recent legitimate data breach reports from either VRChat or Discord.

The AG said it is reviewing its procedures to make this abuse less likely in the future while preserving the public availability of such information. The public-facing database will remain offline until then. (Office of the Maine Attorney General)

Best Thing of the Day: Don't Blame Musk If You're Still Using X

Given the grotesque scenes of racial violence spurred by Elon Musk and X over the past week, Ciaran Martin, former head of the UK National Cyber Security Centre says that if government ministers fear X fuels disorder, they should stop using it.

Worst Thing of the Day: Nothing Excuses a Cyber Vendor Doing This

The St. George Fire Protection District in Louisiana is suing its cybersecurity vendor for a breach it experienced because it discovered the company had been using the same username and password for its remote access tool across its clientele.

Closing Thought