Risky Bulletin: BlackBusta Implodes, Internal Chats Leak Online
Hosted by risky.biz
Release Date: February 21, 2025

Introduction

In the latest episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the most pressing cybersecurity developments. From the implosion of a notorious ransomware group to sophisticated cyber attacks targeting critical infrastructure, the episode covers a wide array of topics that are shaping the cybersecurity landscape. Below is a detailed summary of the key discussions, insights, and conclusions presented in this episode.

1. BlackBusta Ransomware Group Implodes and Internal Chats Leaked

At the outset, Claire Aird reports on the dramatic downfall of the BlackBusta ransomware group. According to security firm Prodaft, an internal group chat containing nearly 200,000 messages over a year was leaked online following an affiliate attack on a Russian bank.

“The BlackBusta ransomware internal group chat has been leaked online,” Aird stated at [00:10], highlighting the scale and significance of the leak.

BlackBusta, an offshoot of the infamous Conti gang, was launched in early 2022 but ceased operations in 2024 due to internal conflicts. The leak provides unprecedented insight into the group's operations, strategies, and eventual disintegration.

2. Russian Military Hackers Exploit Signal’s QR Code Feature

A significant portion of the episode delves into the malicious activities of Russian military hackers, specifically the Sandworm group, who are exploiting Signal’s QR code pairing feature.

“Russia's Sandworm group is inviting victims into Signal Group chats that contain malicious QR codes,” Aird explained at [00:20], detailing how scanning these codes allows attackers to surveil communications by pairing the victim’s Signal account with a Russian device.

This sophisticated phishing tactic has primarily targeted individuals within Ukraine’s government and military, enabling Russian forces to intercept and monitor sensitive communications. Additionally, captured Ukrainian soldiers’ Signal accounts have been hijacked for further phishing attempts.

3. Chinese APT Malware Utilized in Global Ransomware Attacks

The podcast further explores how Chinese Advanced Persistent Threat (APT) groups have repurposed malware such as Plug X and Shadowpad in ransomware campaigns across 15 countries.

“Three security firms say malware used by Chinese APT crews was also used in ransomware attacks across 15 countries,” Aird reported at [00:35].

These complex backdoors were stealthily deployed to compromised networks, laying the groundwork for ransomware payloads like Ra World and the emerging Nalolo Locker. This convergence of espionage tools and ransomware underscores the evolving threat landscape where nation-state tactics are leveraged for financial gain.

4. Microsoft Patches Zero-Day Vulnerability in Power Pages

In a critical security update, Microsoft has patched a zero-day vulnerability in its Power Pages website builder.

“Microsoft patches a Zero day vulnerability in its Power Pages website builder,” Aird informed listeners at [00:50].

This vulnerability had been actively exploited, allowing threat actors to register privileged accounts on websites built with Power Pages. While Microsoft has not disclosed the specifics of the attacks, affected customers have been notified to take necessary precautions.

5. Exploit Chaining Targets Palo Alto Networks Firewalls

Palo Alto Networks firewalls have become targets of a sophisticated exploit chain involving three separate vulnerabilities.

“Threat actors are chaining three exploits together to hack Palo Alto Network's firewalls,” Aird announced at [01:05].

Two of these vulnerabilities were recently patched, with the first discovered in November. Initially spotted by Greynoys, Palo Alto Networks uncovered the full exploit chain, highlighting the ongoing arms race between cybersecurity firms and malicious actors.

6. Ghost Ransomware Group Remains Active

The Ghost ransomware group remains a persistent threat, as highlighted by CISA.

“CISA has warned that old school ransomware group Ghost is still active and launching attacks,” Aird conveyed at [01:20].

Ghost is expanding its targets to include Microsoft Exchange and ColdFusion servers, in addition to its traditional focus on Fortinet devices. Notably, the group continues to exploit two 15-year-old vulnerabilities in ColdFusion, demonstrating the enduring risk posed by unpatched legacy systems.

7. Pegasus Spyware Detected on Multiple Devices

Mobile security firm Iverify has identified traces of the notorious Pegasus spyware on 11 devices from a recent scan of 18,000 customer devices conducted in December.

“Mobile security firm Iverify has found traces of the Pegasus spyware on 11 devices,” Aird reported at [01:35].

This follows earlier detections in 2024, indicating that despite efforts to curb its spread, Pegasus continues to infiltrate devices, posing significant privacy and security risks to users worldwide.

8. SEC Establishes Cyber and Emerging Technologies Unit

In a move to bolster investor protection, the U.S. Securities and Exchange Commission (SEC) is forming a new Cyber and Emerging Technologies Unit.

“A new U.S. Securities and Exchange Commission team will be tasked with protecting investors in Emerging Technologies,” Aird explained at [01:50].

Replacing the existing crypto assets and cyber unit, this new team of 30 fraud specialists will not only address cyber and crypto-enabled fraud but also encompass threats related to AI, machine learning, and social media fraud. This expansion reflects the SEC’s recognition of the evolving nature of financial fraud in the digital age.

9. US Coast Guard Faces Delayed Payments Amid Security Breach

The U.S. Coast Guard has announced delays in payments to over 1,100 personnel following a security breach.

“The US Coast Guard has delayed payments to more than 1,100 personnel while it investigates a security breach,” Aird stated at [02:05].

Discovered by a junior petty officer noticing unusual account activity, the breach has led to the temporary shutdown of personnel and pay systems. This incident marks the Coast Guard’s second data breach within the past year, raising concerns about the agency’s cybersecurity defenses.

10. Japan’s Initiative for Active Cyber Defense

The Japanese Cabinet of Ministries has proposed granting cyber forces the authority to conduct active cyber defense operations, known as active cyber defence.

“The Japanese Cabinet of Ministries has proposed granting cyber forces the power to protect critical infrastructure with offensive cyber operations,” Aird noted at [02:20].

Modeled after strategies employed by some Western nations, this initiative is expected to pass through Parliament, enhancing Japan’s capability to defend its critical infrastructure against cyber threats proactively.

11. Meta Sues Hacker for Instagram Account Extortion

Meta Platforms is taking legal action against a Las Vegas resident for hacking and extorting Instagram users through a service called Unlocked for Life.

“Meta is suing a Las Vegas man for hacking and extorting Instagram users,” Aird reported at [02:35].

Idris Quibber allegedly operated Unlocked for Life, offering services to sell likes, followers, and the ability to disable and reinstate Instagram accounts. Users were reportedly banned through the service and then charged fees to regain access. Additionally, Quibber faced DOJ charges in August for issuing death threats to those who refused to pay, underlining the severe implications of his actions.

12. Cybersecurity Professionals Express Job Dissatisfaction

A recent survey of the cybersecurity market reveals that nearly two-thirds of professionals are dissatisfied with their current roles and are contemplating a career change.

“A survey of the cybersecurity market has found that almost two thirds of professionals are unsatisfied with their jobs and are actively considering a change,” Aird conveyed at [02:50].

Key factors contributing to this dissatisfaction include limited career progression and reluctance towards return-to-office mandates. Additionally, the survey highlighted significant variability in pay among respondents, irrespective of their roles and experience levels, pointing to broader systemic issues within the industry.

Conclusion

The February 21, 2025 episode of Risky Bulletin provided an in-depth analysis of critical cybersecurity events and trends. From the disintegration of the BlackBusta ransomware group and the exploitation of Signal’s QR code feature by Russian hackers to the establishment of a new SEC unit addressing emerging technological threats, the episode underscored the dynamic and challenging nature of the cybersecurity field. The insights shared by Claire Aird serve as a valuable resource for professionals and enthusiasts seeking to stay informed about the latest developments in cybersecurity.

This summary is based on the transcript provided and aims to encapsulate the key points discussed in the podcast episode. For the most comprehensive understanding, listeners are encouraged to tune into the full episode of Risky Bulletin.