Balancing budget cuts and cybersecurity.

The White House is urging federal agencies not to lay off cybersecurity teams. Google doesn’t deny receiving a secret legal order from the UK government. Microsoft researchers identify a simple method to bypass AI safety guardrails. Scammers are impersonating the Clop ransomware gang. Cisco issues security advisories for multiple IOS XR vulnerabilities. CISA warns of multiple ICS security issues. A LockBit ransomware developer has been extradited to the U.S. GCHQ’s former director calls for stronger cybersecurity collaboration. Rick Howard and Kim Jones pass the mic for the CISO Perspectives podcast. Sniffing out Stingrays.

Today is Friday March 14th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

We begin today with a quick correction. Earlier this week we reported on a security advisory from CISA highlighting vulnerabilities from Ivanti and VeraCore. I misspoke, tagging VeraCode in our reporting instead of VeraCore. We regret the error, and appreciate the kind note from the fine folks at VeraCode bringing it to our attention.

The White House is urging federal agencies not to lay off cybersecurity teams.

The White House is urging federal agencies not to lay off cybersecurity teams as they submit budget cut plans. U.S. federal CIO Greg Barbaccia emphasized in an email that cybersecurity is national security and should be protected. The warning comes amid concerns that deep budget cuts mandated by President Trump and adviser Elon Musk could weaken national cyber defenses. Former NSA cybersecurity director Rob Joyce warned that mass layoffs would be “devastating.” The Musk-led Department of Government Efficiency (DOGE) has also drawn criticism for granting unusually broad access to sensitive government data. At the Social Security Administration, officials raised alarms about the security risks posed by DOGE. Meanwhile, the Department of Homeland Security’s CISA has already lost over 130 positions as of mid-February.

Elon Musk reportedly visited the NSA on Wednesday, meeting with leadership to discuss staff cuts and operations. The NSA, a key player in U.S. cybersecurity and home to Cyber Command, is under Musk’s scrutiny as he pushes for government downsizing. His visit signals potential changes to intelligence and cyber operations. While Musk recently called for an NSA overhaul, he hasn’t detailed specific reforms. Intelligence officials are bracing for swift changes that could impact national cybersecurity.

Google doesn’t deny receiving a secret legal order from the UK government. 

Google has refused to deny receiving a secret legal order from the UK government, raising concerns among U.S. lawmakers. A bipartisan group in Congress fears that British authorities may be demanding access to encrypted messages from U.S. tech companies. This follows reports that Apple received a similar order, known as a Technical Capability Notice (TCN), which it is reportedly contesting in a closed court hearing. Lawmakers criticized the secrecy surrounding these orders, arguing it hinders congressional oversight and threatens Americans’ privacy. Under the UK’s Investigatory Powers Act, companies that receive a TCN are barred from confirming it. Experts, including from Britain’s intelligence community, have called for more transparency, with academics warning that the government’s refusal to clarify the situation is unsustainable and unjustifiable.

Microsoft researchers identify a simple method to bypass AI safety guardrails. 

Microsoft researchers have identified a simple yet effective method to bypass AI safety guardrails, called the Context Compliance Attack (CCA). Unlike complex prompt engineering techniques, CCA manipulates AI systems by injecting fabricated conversation history, making them perceive restricted content as a legitimate follow-up request. This vulnerability affects major AI models, including GPT, Claude, Llama, and Gemini, highlighting a fundamental flaw in systems that rely on client-supplied chat history. Open-source models are especially vulnerable, as they cannot verify message authenticity. While stateless architectures improve scalability, they also allow attackers to manipulate context. Microsoft suggests mitigating this risk through cryptographic signatures and server-side conversation tracking. The attack’s effectiveness underscores the need for a more comprehensive AI security strategy beyond traditional input filtering. Microsoft has made CCA available for research via its PyRIT toolkit.

Scammers are impersonating the Clop ransomware gang. 

Barracuda researchers warn that scammers are impersonating the Clop ransomware gang to extort businesses. Unlike real Clop attacks, fake extortion emails lack key elements like payment deadlines, secure chat links, and company names. These scams reference media reports about actual Clop breaches to seem legitimate. Similar fraud tactics have been seen with BianLian ransomware impersonations. 

Cisco issues security advisories for multiple IOS XR vulnerabilities. 

Cisco has issued security advisories for multiple IOS XR vulnerabilities, highlighting a critical BGP confederation memory corruption flaw (CVE-2025-20115) with a CVSS score of 8.6. The bug allows remote attackers to cause denial-of-service (DoS) by sending crafted BGP updates containing excessively long AS_CONFED_SEQUENCE attributes. This impacts IOS XR versions 7.11, 24.1, and 24.2 up to 24.2.20. Cisco has released patched versions (24.2.21, 24.3.1, and 24.4) and provided a workaround for restricting AS path lengths. While no known exploits exist, organizations should update immediately or implement mitigation policies to prevent potential network-wide disruptions. 

CISA warns of multiple ICS security issues. 

CISA has issued multiple ICS security advisories, warning of critical vulnerabilities in Siemens, Philips, and Sungrow products. These flaws, affecting industrial control systems (ICS), include memory corruption, authentication bypass, privilege escalation, and unauthorized file access. Key risks include remote code execution, data exposure, and denial-of-service attacks across manufacturing, energy, and healthcare sectors. CISA urges immediate updates, network segmentation, and access restrictions to mitigate threats. 

A LockBit ransomware developer has been extradited to the U.S. 

The US Justice Department announced the extradition of Rostislav Panev, a LockBit ransomware developer, from Israel to the United States. Panev, a Russian-Israeli national, admitted to developing malware features that disabled security software, spread infections, and printed ransom notes. He worked for LockBit from 2022 to 2024, earning over $230,000 in cryptocurrency. LockBit, which extorted $500 million from 2,500+ victims worldwide, suffered a law enforcement takedown in 2024. The US has charged seven individuals, offering rewards of up to $10 million for fugitives.

GCHQ’s former director calls for stronger cybersecurity collaboration. 

Sir Jeremy Fleming, former GCHQ director, warns that geopolitical tensions and cyber threats are at an all-time high, requiring stronger cybersecurity collaboration. Speaking at Palo Alto Networks’ Ignite event in London, he stressed the growing impact of nation-state cyberattacks, ransomware, and disinformation campaigns. Critical infrastructure attacks, mega breaches, and covert cyber intrusions are increasing, with ransomware remaining the top cybercrime threat. While basic cybersecurity measures help against most threats, nation-state attacks are harder to prevent. Fleming urged organizations to integrate geopolitical intelligence with cyber threat analysis and enhance cyber information-sharing across the industry. He emphasized that no single company can combat threats alone, advocating for faster, broader collaboration to detect nation-state cyber activity before it escalates.

Sniffing out Stingrays.

And finally, as regular listeners of our Caveat law and policy podcast are well aware, for years, StingRay devices, or cell site simulators, have been the nosy eavesdroppers of the digital age, lurking in the shadows and pretending to be legitimate cell towers, tricking phones into spilling their secrets. Law enforcement loves them, privacy advocates hate them, and the rest of us just wonder if our phones are snitching on us.

Enter Rayhunter, the EFF’s new open-source watchdog, designed to sniff out these pesky impostors. Running on a cheap $20 mobile hotspot, Rayhunter detects suspicious cell tower behavior—like forced downgrades to insecure networks or unusual IMSI requests. No PhD in hacking required. If something fishy happens, Rayhunter turns red, letting users know it’s time to shut down or alert the community.

The goal? Real data on StingRay use, not just paranoia. With enough users worldwide, we might finally expose how, when, and where these digital spies operate. 

And that’s the CyberWire.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.