Trump cyber EO reverses some parts of Biden, Obama orders

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The Trump administration issued an executive order to streamline past administrations’ cybersecurity executive actions and strip some provisions it sees as overly prescriptive or ideological.

It amends parts of a Biden-era order signed in January before Trump’s return to the Oval Office and a cornerstone Obama-era directive signed a decade ago that authorized sanctions on individuals and firms engaged in malicious cyber activities.

The Obama order laid the groundwork for sanctioning policies used by agencies, including the State Department and the Treasury Department, to financially punish people involved in hacking activities that harm US national security.

Trump’s order “limits the application of cyber sanctions only to foreign malicious actors” and prevents “misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities,” according to a highly political fact sheet.

One significant change to Biden's order was the elimination of provisions suggesting that government agencies ramp up the use of digital ID technologies. The fact sheet argued that they would be used by “illegal aliens” and would have “facilitated entitlement fraud and other abuse.” 

It also removed Biden's requirements that federal contractors attest to the security of their software, calling them in the fact sheet “unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.” (David DiMolfetta / NextGov/FCW and Anthony Ha / TechCrunch)

Related: White House, White House, Federal News Network, CyberScoop, Cybersecurity Dive, Forbes, Politico

Sources say Elon Musk’s team at the US DOGE Service and allies in the Trump administration ignored White House communications experts worried about potential security breaches when DOGE personnel installed Musk’s Starlink internet service in the complex this year.

They said those managing White House communications systems were not informed in advance when DOGE representatives went to the adjacent Eisenhower Executive Office Building roof in February to install a terminal connecting users in the complex to Starlink satellites, which Musk’s private SpaceX rocket company owns.

They also said those managing the systems couldn’t monitor such connections to stop sensitive information from leaving the complex or hackers from breaking in.

A “Starlink Guest” WiFi network appeared on White House phones in February, prompting users only for a password, not a username or a second form of authentication, According to the sources, a “Starlink Guest” WiFi network appeared on White House phones in February, prompting users only for a password, not a username or a second form of authentication.

“Starlink doesn’t require anything. It allows you to transmit data without any kind of record or tracking,” one source said. “White House IT systems had very strong controls on network access. You had to be on a full-tunnel VPN at all times. If you are not on the VPN, White House-issued devices can’t connect to the outside.”

A full-tunnel VPN connection protects all data sent and received and can monitor or block any content.

Some former White House officials have gone to Democrats on the House Oversight Committee with their concerns, but the members have not gotten answers to their questions about Starlink. (Joseph Menn / Washington Post)

Related: Daily Beast

The Federal High Court of Nigeria convicted nine Chinese nationals and sentenced them each to a year in prison for their roles in a cybercrime syndicate that allegedly involved training and recruiting young Nigerians to commit online fraud.

Law enforcement officers from Nigeria’s Economic and Financial Crimes Commission (EFCC) arrested the gang in December, alongside 780 other people, in a large raid at a commercial premises in Lagos.

The raid, part of what the EFCC named Operation Eagle Flush, saw the agency arrest 599 Nigerians and 193 other foreign nationals, many of them Chinese, on suspicion of being involved in a range of online crimes and frauds.

According to local media reports, the EFCC said the nine Chinese nationals convicted on Thursday had been part of a “large-scale cyberterrorism and identity theft operation” and had involved the convicts illicitly accessing computer systems.

This Day, a Nigerian newspaper, cited an affidavit by EFCC investigator Kaina Garba describing Operation Eagle Flush as designed to tackle “a syndicate, primarily led by Chinese nationals, that recruits and trains Nigerian youths in cyber-fraud, including dating, romance, and investment scams.”

According to the EFCC, the culprits are part of an international cybercrime syndicate headquartered in Lagos using “advanced technology and social engineering techniques to defraud individuals and institutions globally.” (Alexander Martin / The Record)

Related: The420, Premium Times, This Day Live, Punch Newspapers, Vanguard News, TV360 Nigeria, Daily Nigerian

The US Justice Department announced that Nigerian national Kingsley Uchelue Utulu was sentenced by US District Judge Paul G. Gardephe to 63 months in prison for his role in a broad hacking, fraud, and identity theft scheme targeting US-based businesses and individuals. 

Utulu previously pleaded guilty to conspiracy to commit wire fraud. According to authorities, since at least 2019, Utulu had been involved in a criminal scheme that involved hacking into the systems of US-based tax preparation companies to steal tax and other information that could be used to file fraudulent tax returns.

As part of the scheme, the cybercriminals stole information on thousands of individuals from several tax businesses, including in Texas and New York. They attempted to obtain tax returns totaling approximately $8.4 million and received at least $2.5 million.

The stolen identities were also used to file fraudulent claims with the Small Business Administration’s Economic Injury Disaster Loan program, which enabled the fraudsters to obtain at least $819,000. 

In addition to a 63-month prison sentence, Utulu has been ordered to pay over $3.6 million in restitution and to forfeit roughly $290,000. (Eduard Kovacs / Security Week)

Related: Justice Department, News Central Africa, The Guardian Nigeria, The Sun Nigeria, RegTechTimes, Punch Newspapers, Hoodline, Nigerian Eye, Chronicle, ITWeb.co.za, Security Week

US immigration officers have arrested David Kee Crees, an Australian “hacker” known as DR32, who this year pleaded guilty to more than a dozen charges related to computer fraud in an American federal court.

A South Australian court granted his extradition to Colorado in 2022 to face a 22-count indictment, although Crees did not make his first appearance until early 2024.

According to local media reports, he pleaded guilty to 14 charges in January, tied to his activities between June 2020 and July 2021, and was sentenced last month to time served. (Heath Parkes-Hupton / News.com)

Related: Daily Mail, The Advertiser, Databreaches.net, ICE on Instagram

According to a special report by an Italian parliamentary inquiry committee, the contract between Italy's intelligence services and the offensive cyber company Paragon has been canceled.

Paragon cited an Italian decision not to proceed with a proposed technical process that would have confirmed if its spyware was used against a prominent journalist.

"The company offered both the Italian government and parliament a way to determine whether its system had been used against the journalist," and since "Italian authorities chose not to proceed with this solution, Paragon terminated its contracts in Italy," Paragon said in a statement.

Last week, a special Italian parliamentary committee confirmed that the country's intelligence services used the Graphite spyware developed by Paragon to hack the phones of pro-immigration activists.

However, the committee said it found no evidence that the spyware had been used against prominent investigative journalist Francesco Cancellato, the case that initially triggered the investigation. (Omer Benjakob / Haaretz)

Related: Columbia Journalism Review, TechCrunchexploit

The US Supreme Court ruled that DOGE can access Americans' sensitive social security data, with the three liberal judges, Sonia Sotomayor, Elena Kagan, and Ketanji Brown Jackson, dissenting from the opinion.

In her opinion, Jackson wrote, “The government wants to give DOGE unfettered access to this personal, non-anonymized information right now — before the courts have time to assess whether DOGE’s access is lawful,” she added. (Jeanne Sahadi / CNN)

Related: NPR, NBC News, Democracy Docket, France24, USA Today, The Washington Post, CBS News

The FBI is warning that the BADBOX 2.0 malware campaign has infected over 1 million home Internet-connected devices, converting consumer electronics into residential proxies for malicious activity.

The BADBOX botnet is commonly found on Chinese Android-based smart TVs, streaming boxes, projectors, tablets, and other Internet of Things (IoT) devices.

"The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity," the FBI said.

These devices come preloaded with the BADBOX 2.0 malware botnet or become infected after installing firmware updates and through malicious Android applications that sneak onto Google Play and third-party app stores.

Once infected, the devices connect to the attacker's command and control (C2) servers, where they receive commands to execute on the compromised devices.

In a joint operation led by HUMAN's Satori team and Google, Trend Micro, The Shadowserver Foundation, and other partners, the BADBOX 2.0 botnet was disrupted again to prevent over 500,000 infected devices from communicating with the attacker's servers.

However, even with that disruption, the botnet continues to grow as consumers purchase more compromised products and connect them to the Internet.

The FBI strongly advises consumers to protect themselves from the botnet by assessing all IoT devices connected to home networks for suspicious activity, never downloading apps from unofficial marketplaces offering "free streaming" apps, monitoring Internet traffic to and from home networks, and keeping all devices updated with patches. (Lawrence Abrams / Bleeping Computer)

Related: IC3, Hot Hardware, Cybernews, SC Media, Forbes, TechRadar, The Record, TechSpot, Infosecurity Magazine, CEPro, Security Affairs, Help Net Security, Dark Reading, Ars Technica

The Council of the European Union approved a crisis management initiative that seeks to improve "the EU's overall preparedness for multi-dimensional hybrid threats."

The EU Cyber Blueprint "serves as a practical tool for member states and EU bodies to work together to prepare for and respond to a cyber crisis that could affect our critical infrastructure and public security," said Henna Virkkunen, executive vice president of the European Commission for technology sovereignty.

The Cyber Blueprint recommends that the national computer incident response teams coordinate with the European cyber crisis liaison organization network - EU-CyCLONe - to identify cyber incidents that could escalate to transnational disruptive hacks. It encourages organizations to share information on incidents, tactics, and actively exploited vulnerabilities to prevent and deter such hacks.

ENISA, the European Union Agency for Cybersecurity, will monitor the operations of CIRTs and EU-CyCLONe. The initiative will help strengthen the EU's "cooperative efforts" to tackle threats facing its critical infrastructure, said ENISA Director Juhan Lepassaar. (Akshaya Asokan / GovInfoSecurity)

Related: European Council, ENISA, Industrial Cyber, AML Intelligence, EU Business, Politico EU, EU Today

SentinelLABS, the threat intel and research arm of security shop SentinelOne, uncovered new clusters of malicious activity in a series of intrusions between July 2024 and March 2025 involving ShadowPad malware and post-exploitation espionage activity that SentinelOne has dubbed "PurpleHaze," which the researchers attribute to China, specifically APT15 and UNC5174.

APT15, also known as rKe3Chang and Nylon Typhoon, is a suspected Chinese cyberspy crew that targets telecommunications, IT services, government, and other critical sectors.

UNC5174 is a cyberspy crew or individual with ties to China's Ministry of State Security that was spotted as recently as April infecting global organizations for espionage and access resale campaigns.

SentinelLABS found more than 70 victims globally across manufacturing, government, finance, telecommunications, and research. One of these was an IT services and logistics company that manages hardware logistics for SentinelOne employees. 

Additionally, the security outfit's research uncovered a September 2024 intrusion into a "leading European media organization." The victims are diverse, but they all share one thing in common: they represent strategic targets as China prepares for war of the cyber or kinetic variety.

"Ultimately, this ties back to pre-positioning for conflict," SentinelOne threat researcher Tom Hegel said. (Jessica Lyons / The Register)

Related: SentinelOne, Cybersecurity Dive

To develop a deeper understanding and help others in the community, Jon DiMaggio at Analyst1, Scylla Intel, and the DomainTools Investigations Team conducted a research project that culminated in a detailed infographic called “A Visual and Analytical Map of Russian-affiliated Ransomware Groups.”

This work follows DomainTools' previous research on tracking ransomware families and provides a visual representation of complex connections in this space.

The project's goal was to map hidden connections between criminal factions, going beyond just mapping “families” to understand their intricate relationships. The core focus was on identifying overlaps in human operators, code fragments, infrastructure, and TTPs (Tactics, Techniques, and Procedures). 

Analyzing these diverse data points helped isolate valuable signals from the surrounding noise. This included overlapping IP addresses, passive DNS records, shared certificates, web content, and delivery vectors used by different groups. These infrastructure overlaps imply potential resource pooling, bulletproof hosting, or affiliate-level reuse. (Domain Tools)

At the cybercrime-focused conference Sleuthcon, security researcher Thibault Seret outlined how law enforcement crackdowns on bulletproof hosting have pushed both bulletproof hosting companies and criminal customers toward an alternative approach.

Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services to rotate and mask customer IP addresses and offer infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together.

“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,” Seret, a researcher at the threat intelligence firm Team Cymru, said. “That's the magic of a proxy service—you cannot tell who’s who. It's good in terms of internet freedom, but it's super, super tough to analyze what’s happening and identify bad activity.”

By making malicious traffic look like it comes from trusted consumer IP addresses, attackers make it much more difficult for organizations' scanners and other threat detection tools to spot suspicious activity. And, crucially, residential proxies and other decentralized platforms that run on disparate consumer hardware reduce a service provider's insight and control, making it more difficult for law enforcement to get anything useful from them. (Lily Hay Newman / Wired)

Kieron Sharp, the former London detective heading the Federation Against Copyright Thefts (FACT), warns that millions of illegal streamers in the UK using modified Amazon Fire Sticks could face prosecution for their role in funding international piracy gangs.

FACT is helping prosecute gangs prevalent on Facebook with ads selling pirated Amazon Fire Sticks. In the last five years, FACT has been involved in 23 prosecutions, leading to 36 criminals being jailed for an average of nearly three years each.

The UK Intellectual Property Office has estimated that 6.2 million Brits access illegally streamed TV and 3.9 million people watch pirated live sport. (Nick Sommerlad / Mirror)

Related: Cybernews

Hundreds of Illinois residents may have had their information stolen in a recent data breach after a hacker accessed the email of an Illinois Department of Healthcare and Family Services employee.

Officials said a hacker who had gained access to a government email account that looked trustworthy conducted a phishing campaign targeting HFS employees.

Information accessed by hackers "may have included customer names, social security numbers, driver's license or state identification card numbers, financial information related to child support, child support or Medicaid identification and case numbers, and date of birth," HFS said.

Officials said 933 people were impacted by the data breach, including 564 Illinois residents. (ABC7 News)

Related: MyStateLine, The Lansing Journal, StateScoop, WQAD, WCIA

Co-op CEO Shirine Khoury-Haq has said the business is nearing a “full and complete recovery” following the cyber attack that hit the retailer in late April.

Last month, the convenience chain was forced to shut down parts of its IT systems after detecting a malicious access attempt, which later exposed data.

The fallout from the attack had impacted all business areas, including supplier operations and customer data. The group confirmed that while customer names and contact details had been accessed, no financial data or passwords were compromised.

However, in an update published on its website June 5 and addressed to its member-owners, Khoury-Haq said the business had made “significant progress” in restoring operations, with systems now stabilised and stores seeing improved product availability.

“While there is still work to do to unwind the operational and technical impacts of the actions we had to take to block the criminals, our systems are now stable, our Food stores again have more of the products our customers want and all our businesses are continuing to serve our member-owners,” she said. (Grocery Gazette)

Related: Business Cloud, Food Manufacture, Retail Gazette, Grocery Gazette

Nintendo launched its Switch 2 console yesterday, and hackers have already found a way to exploit the system, with a user called @retr0.id on Bluesky demonstrating a userland ropchain exploit to display a framebuffer graphics demo.

This exploit prevents users from playing hacked or pirated games on their consoles or running unlicensed programs. This is a simple exploit, not a hack that enabled native code execution. Regardless, it is a starting point for hackers and a sign that Nintendo may need to beef up the security of its Switch 2 hardware.

@retr0.id’s exploit is a userland Return-Oriented Programming (ROP) exploit. This exploit operates at the user level, on top of the Switch 2’s operating system and programs. This hack does not enable root or admin access to the system.

As of now, this Nintendo Switch 2 exploit has no practical uses. However, it is an early sign that the Switch 2 is hackable. (Mark Campbell / OC3D.net)

Related: Tom's Hardware, DL Compare

US tax resolution firm Optima Tax Relief suffered a Chaos ransomware attack, with the threat actors now leaking data stolen from the company.

The Chaos ransomware gang added Optima Tax Relief to its data leak site, claiming to have stolen 69 GB of data. 

This data contains what appears to be corporate data and customer case files. Tax documents commonly contain sensitive personal information, such as Social Security numbers, phone numbers, and home addresses, which can be used for malicious activity by other threat actors or identity theft. (Lawrence Abrams / Bleeping Computer)

Related: Teiss

Researchers at Kaspersky report that a new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.

The flaw, tracked under CVE-2024-3721, is a command injection vulnerability disclosed by security researcher "netsecfish" in April 2024.

The attackers leverage the exploit to drop an ARM32 malware binary, which establishes communication with the command and control (C2) server to enlist the device to the botnet swarm. From there, the device is likely used to conduct distributed denial of service (DDoS) attacks, proxy malicious traffic, and other behavior.

Although netsecfish reported last year that approximately 114,000 internet-exposed DVRs were vulnerable to CVE-2024-3721, Kaspersky's scans show approximately 50,000 exposed devices, which is still significant.

Most infections the Russian cybersecurity firm sees as being associated with the latest Mirai variant impact China, India, Egypt, Ukraine, Russia, Turkey, and Brazil. However, this is based on Kaspersky's telemetry, and as its consumer security products are banned in many countries, this may not accurately reflect the botnet's targeting focus. (Bill Toulas / Bleeping Computer)

Related: Securelist, GBHackers

Meta removed many ads promoting "nudify" apps, AI tools used to create sexually explicit deepfakes using images of real people, after a CBS News investigation found hundreds of such advertisements on its platforms.

"We have strict rules against non-consensual intimate imagery; we removed these ads, deleted the Pages responsible for running them, and permanently blocked the URLs associated with these apps," a Meta spokesperson said.

CBS News uncovered dozens of those ads on Meta's Instagram platform, in its "Stories" feature, promoting AI tools that, in many cases, advertised the ability to "upload a photo" and "see anyone naked." Other ads in Instagram's Stories promoted the ability to upload and manipulate videos of real people. One promotional ad even read "how is this filter even allowed?" as text underneath an example of a nude deepfake. (Emmot Lyons and Leigh Kiniry / CBS News)

Related: News9

Cybersecurity services firm Guardz Cyber Ltd. said it has closed on a $56 million Series B round of venture funding.

ClearSky led the round, with the participation of Phoenix Financial and existing investors Glilot Capital Partners, SentinelOne, Hanaco Ventures, iAngels, GKFF Ventures, and Lumir. (Mike Wheatley / Silicon Angle)

Related: PR Newswire, Axios, Silicon Angle, MSSP Alert, CTech, Channel E2E

Seattle-based application delivery and security giant F5 has acquired Fletch, a San Francisco startup founded in 2020 that uses AI to help companies spot threats and reduce alert fatigue.

F5 will integrate Fletch’s “agentic AI capabilities” into its platform. “This is a big leap forward for intelligent, AI-native security,” said Kunal Anand, F5's chief innovation officer. (Taylor Soper / GeekWire)

Related: Bank Info Security, Network World, The Business Journals, Dark Reading, MSSP Alert

Best Thing of the Day: Karma Is a B*tch

In the wake of the "breakup" between Elon Musk and Donald Trump, DOGE workers are ironically scared of getting fired.

Bonus Best Thing of the Day: But What About the Flash Players and VHS Tapes?

The US Federal Aviation Administration announced it will stop using floppy discs and Windows 95, decades after those technologies became obsolete.

Worst Thing of the Day: Maybe DOGE Boys Needn't Fear Unemployment After All

DOGE workers have become deeply embedded in Mr. Trump’s administration and could be there to stay.

Bonus Worst Thing of the Day: But What About Ken and Skipper Dolls?

Researchers apparently found Chinese backdoors in digitally connected Barbie dolls.

Closing Thought