Risky Bulletin: BlackBasta implodes, internal chats leak online - Risky Bulletin

Summary6 min read

Risky Bulletin: BlackBusta Implodes, Internal Chats Leak Online
Hosted by risky.biz
Release Date: February 21, 2025

Introduction

In the latest episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on the most pressing cybersecurity developments. From the implosion of a notorious ransomware group to sophisticated cyber attacks targeting critical infrastructure, the episode covers a wide array of topics that are shaping the cybersecurity landscape. Below is a detailed summary of the key discussions, insights, and conclusions presented in this episode.

1. BlackBusta Ransomware Group Implodes and Internal Chats Leaked

At the outset, Claire Aird reports on the dramatic downfall of the BlackBusta ransomware group. According to security firm Prodaft, an internal group chat containing nearly 200,000 messages over a year was leaked online following an affiliate attack on a Russian bank.

“The BlackBusta ransomware internal group chat has been leaked online,” Aird stated at [00:10], highlighting the scale and significance of the leak.

BlackBusta, an offshoot of the infamous Conti gang, was launched in early 2022 but ceased operations in 2024 due to internal conflicts. The leak provides unprecedented insight into the group's operations, strategies, and eventual disintegration.

2. Russian Military Hackers Exploit Signal’s QR Code Feature

A significant portion of the episode delves into the malicious activities of Russian military hackers, specifically the Sandworm group, who are exploiting Signal’s QR code pairing feature.

“Russia's Sandworm group is inviting victims into Signal Group chats that contain malicious QR codes,” Aird explained at [00:20], detailing how scanning these codes allows attackers to surveil communications by pairing the victim’s Signal account with a Russian device.

This sophisticated phishing tactic has primarily targeted individuals within Ukraine’s government and military, enabling Russian forces to intercept and monitor sensitive communications. Additionally, captured Ukrainian soldiers’ Signal accounts have been hijacked for further phishing attempts.

3. Chinese APT Malware Utilized in Global Ransomware Attacks

The podcast further explores how Chinese Advanced Persistent Threat (APT) groups have repurposed malware such as Plug X and Shadowpad in ransomware campaigns across 15 countries.

“Three security firms say malware used by Chinese APT crews was also used in ransomware attacks across 15 countries,” Aird reported at [00:35].

These complex backdoors were stealthily deployed to compromised networks, laying the groundwork for ransomware payloads like Ra World and the emerging Nalolo Locker. This convergence of espionage tools and ransomware underscores the evolving threat landscape where nation-state tactics are leveraged for financial gain.

4. Microsoft Patches Zero-Day Vulnerability in Power Pages

In a critical security update, Microsoft has patched a zero-day vulnerability in its Power Pages website builder.

“Microsoft patches a Zero day vulnerability in its Power Pages website builder,” Aird informed listeners at [00:50].

This vulnerability had been actively exploited, allowing threat actors to register privileged accounts on websites built with Power Pages. While Microsoft has not disclosed the specifics of the attacks, affected customers have been notified to take necessary precautions.

5. Exploit Chaining Targets Palo Alto Networks Firewalls

Palo Alto Networks firewalls have become targets of a sophisticated exploit chain involving three separate vulnerabilities.

“Threat actors are chaining three exploits together to hack Palo Alto Network's firewalls,” Aird announced at [01:05].

Two of these vulnerabilities were recently patched, with the first discovered in November. Initially spotted by Greynoys, Palo Alto Networks uncovered the full exploit chain, highlighting the ongoing arms race between cybersecurity firms and malicious actors.

6. Ghost Ransomware Group Remains Active

The Ghost ransomware group remains a persistent threat, as highlighted by CISA.

“CISA has warned that old school ransomware group Ghost is still active and launching attacks,” Aird conveyed at [01:20].

Ghost is expanding its targets to include Microsoft Exchange and ColdFusion servers, in addition to its traditional focus on Fortinet devices. Notably, the group continues to exploit two 15-year-old vulnerabilities in ColdFusion, demonstrating the enduring risk posed by unpatched legacy systems.

7. Pegasus Spyware Detected on Multiple Devices

Mobile security firm Iverify has identified traces of the notorious Pegasus spyware on 11 devices from a recent scan of 18,000 customer devices conducted in December.

“Mobile security firm Iverify has found traces of the Pegasus spyware on 11 devices,” Aird reported at [01:35].

This follows earlier detections in 2024, indicating that despite efforts to curb its spread, Pegasus continues to infiltrate devices, posing significant privacy and security risks to users worldwide.

8. SEC Establishes Cyber and Emerging Technologies Unit

In a move to bolster investor protection, the U.S. Securities and Exchange Commission (SEC) is forming a new Cyber and Emerging Technologies Unit.

“A new U.S. Securities and Exchange Commission team will be tasked with protecting investors in Emerging Technologies,” Aird explained at [01:50].

Replacing the existing crypto assets and cyber unit, this new team of 30 fraud specialists will not only address cyber and crypto-enabled fraud but also encompass threats related to AI, machine learning, and social media fraud. This expansion reflects the SEC’s recognition of the evolving nature of financial fraud in the digital age.

9. US Coast Guard Faces Delayed Payments Amid Security Breach

The U.S. Coast Guard has announced delays in payments to over 1,100 personnel following a security breach.

“The US Coast Guard has delayed payments to more than 1,100 personnel while it investigates a security breach,” Aird stated at [02:05].

Discovered by a junior petty officer noticing unusual account activity, the breach has led to the temporary shutdown of personnel and pay systems. This incident marks the Coast Guard’s second data breach within the past year, raising concerns about the agency’s cybersecurity defenses.

10. Japan’s Initiative for Active Cyber Defense

The Japanese Cabinet of Ministries has proposed granting cyber forces the authority to conduct active cyber defense operations, known as active cyber defence.

“The Japanese Cabinet of Ministries has proposed granting cyber forces the power to protect critical infrastructure with offensive cyber operations,” Aird noted at [02:20].

Modeled after strategies employed by some Western nations, this initiative is expected to pass through Parliament, enhancing Japan’s capability to defend its critical infrastructure against cyber threats proactively.

11. Meta Sues Hacker for Instagram Account Extortion

Meta Platforms is taking legal action against a Las Vegas resident for hacking and extorting Instagram users through a service called Unlocked for Life.

“Meta is suing a Las Vegas man for hacking and extorting Instagram users,” Aird reported at [02:35].

Idris Quibber allegedly operated Unlocked for Life, offering services to sell likes, followers, and the ability to disable and reinstate Instagram accounts. Users were reportedly banned through the service and then charged fees to regain access. Additionally, Quibber faced DOJ charges in August for issuing death threats to those who refused to pay, underlining the severe implications of his actions.

12. Cybersecurity Professionals Express Job Dissatisfaction

A recent survey of the cybersecurity market reveals that nearly two-thirds of professionals are dissatisfied with their current roles and are contemplating a career change.

“A survey of the cybersecurity market has found that almost two thirds of professionals are unsatisfied with their jobs and are actively considering a change,” Aird conveyed at [02:50].

Key factors contributing to this dissatisfaction include limited career progression and reluctance towards return-to-office mandates. Additionally, the survey highlighted significant variability in pay among respondents, irrespective of their roles and experience levels, pointing to broader systemic issues within the industry.

Conclusion

The February 21, 2025 episode of Risky Bulletin provided an in-depth analysis of critical cybersecurity events and trends. From the disintegration of the BlackBusta ransomware group and the exploitation of Signal’s QR code feature by Russian hackers to the establishment of a new SEC unit addressing emerging technological threats, the episode underscored the dynamic and challenging nature of the cybersecurity field. The insights shared by Claire Aird serve as a valuable resource for professionals and enthusiasts seeking to stay informed about the latest developments in cybersecurity.

This summary is based on the transcript provided and aims to encapsulate the key points discussed in the podcast episode. For the most comprehensive understanding, listeners are encouraged to tune into the full episode of Risky Bulletin.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
The Black Buster ransomware group implodes Russian military hackers target signal with QR codes Microsoft patches a power pager zero day and meta sues a man who hacked accounts and extorted users. This is the Risky Bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 21st of February and this podcast episode is brought to you by RAD Security A Blkbasta ransomware internal group chat has been leaked online, security firm Prodaft told Risky Beers. The anonymous leak occurred after a Blkbasta affiliate attacked a Russian bank. The leak includes almost 200,000 messages sent over a year until late 2024. The group is an offshoot of the old Conti gang and launched in early 2022. Prodaft says BLKBasta ceased operations this year after multiple internal conflicts. In other news Russian military hackers are abusing signals QR code device pairing feature Russia's Sandworm group is inviting victims into Signal Group chats that contain malicious QR codes. If scanned, the QR codes pair a target's account to a Russian device, allowing Sandworm operators to surveil communications, according to Google. The campaign has targeted individuals in Ukraine's government and military. Russian forces have also linked signal accounts of Ukrainian soldiers captured on the battlefield to their own devices and use them for further signal phishing. Three security firms say malware used by Chinese apt crews was also used in ransomware attacks across 15 countries. The tools are versions of Plug X and Shadowpad, which are complex backdoors often used by Chinese APTs over the last decade. The two malware strains were deployed to hacked networks before the ransomware was activated. The ransomware payloads used in the attack attacks included Ra World and a new strain named Nalolo Locker. Microsoft has patched a Zero day vulnerability in its Power Pages website builder. The vulnerability had been exploited in the wild. It allowed threat actors to register privileged accounts on websites built using the tool. Microsoft did not provide further details about the attacks, but said affected customers have been notified. Threat actors are chaining three exploits together to hack Palo Alto Network's firewalls. Two of the bugs were patch last week and the first was patched in November. Greynoys initially spotted the attacks and Palo Alto Networks subsequently uncovered the full exploit chain. CISA has warned that old school ransomware group Ghost is still active and launching attacks. The agency said the group is now targeting Microsoft Exchange and ColdFusion servers in addition to its go to favorite of Fortinet devices. The attacks against ColdFusion use two 15 year old vulnerabilities which somehow they can still find targets for. The Chinese based group emerged in 2021 and has hacked organisations in more than 70 countries. Mobile security firm Iverify has found traces of the Pegasus spyware on 11 devices. The infections were discovered amongst 18,000 customer devices Iverify scanned in December. Earlier in 2024, seven other devices scanned by Iverify showed signs of Pegasus infections. A new U.S. securities and Exchange Commission team will be tasked with protecting investors in Emerging Techn. Known as the Cyber and Emerging Technologies Unit. The team will replace the SEC's existing crypto assets and cyber unit. It will be staffed by 30 fraud specialists. The unit will continue to cover cyber and crypto enabled fraud, but will also include AI, machine learning and social media fraud. The US Coast Guard has delayed payments to more than 1,100 personnel while it investigates a security breach. The breach was discovered after a junior petty officer noticed strange activity in their account last week. Personnel and pay systems have been taken offline while the Coast Guard investigates the incident. This is the Coast Guard's second data breach in the last year. The Japanese Cabinet of Ministries has proposed granting cyber forces the power to protect critical infrastructure with offensive cyber operations known as active cyber defence. The approach has been adopted by some Western countries. The proposal has been forwarded to Parliament, where it's expected to pass. Meta is suing a Las Vegas man for hacking and extorting Instagram users. The company claims Idris Quibber ran Unlocked for Life, an online service that sold likes, followers and the ability to disable and then reinstate Instagram accounts. Quibber allegedly used the service to ban users and charge fees to restore their accounts. The service also supported other social networks such as Twitter, YouTube, TikTok, Snapchat and Telegram. The DOJ also charged Quibber in August last year for sending death threats to victims who refuse to pay. And finally, a survey of the cybersecurity market has found that almost two thirds of professionals are unsatisfied with their jobs and are actively considering a change. The study found that dissatisfaction with career progression was the key issue for many respondents. Displeasure with return to office mandates also featured heavily in the survey responses. The same Artico an ions study also found that pay varied wildly among respondents, regardless of roles and experience. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Rad Security. Find them at Rad Security thanks to your company.