We have compiled the most important cybersecurity news of the week.
- Microsoft reported Russian hackers accessed its source code repositories.
- The US imposed sanctions on operators of the Predator spyware.
- Media reports suggest the BlackCat ransomware gang executed an exit scam, blaming “the feds.”
- The Russian Ministry of Internal Affairs procured systems to deanonymize Telegram users.
Microsoft Reports Russian Hackers Accessed Source Code Repositories
The Russian hacker group Midnight Blizzard used certain “secrets” obtained from a recent breach of Microsoft to gain further unauthorized access to the company’s internal systems and source code repositories.
The tech giant did not specify what information from corporate emails was used. Bleeping Computer speculated that it involved authentication tokens, API keys, or credentials.
Microsoft found no evidence of customer engagement systems being compromised.
In a SEC filing, the company announced enhanced security measures and improved intercorporate coordination.
The investigation into the incident and notification of affected parties are ongoing.
US Imposes Sanctions on Predator Spyware Operators
The OFAC sanctioned two individuals and five entities linked to the development and distribution of the commercial spyware Predator.
The individuals include Tal Jonathan Dilian, an Israeli national and founder of the Intellexa Consortium, and Sara Alexandra Faisal Hamu, a Polish corporate law specialist.
The companies include:
- Cytrox AD (North Macedonia);
- Cytrox Holdings ZRT (Hungary);
- Intellexa Limited (Ireland);
- Intellexa S.A. (Greece);
- Thalestris Limited (Ireland).
The US authorities accuse them of spying on Americans, including government officials, political experts, journalists, and tech company executives.
All US assets of the sanctioned individuals and companies are frozen, and local citizens are prohibited from engaging in any transactions with them.
Media: BlackCat Ransomware Gang Executes Exit Scam, Blames “The Feds”
Operators of the ALPHV (BlackCat) ransomware announced the project’s closure, allegedly due to the FBI seizing their infrastructure, reports Bleeping Computer.
The hackers posted an old banner about server confiscation by law enforcement on their leak site and put the malware’s source code up for sale for $5 million.
While the FBI declined to comment, Europol and the NCA (also mentioned on the banner) stated they were not involved in any recent disruptions to BlackCat’s infrastructure.
I also reached out to contacts at Europol and the NCA, and neither of them had any idea what I was even talking about and declined any sort of involvement. So again, this is a poor attempt by ALPHV/BlackCat to hide their exit scam. Don’t fall for it.
— Fabian Wosar (@fwosar) March 5, 2024
Rumors of a possible exit scam emerged amid the shutdown of the leak site and negotiation servers. Additionally, a member of one of the gang’s affiliates claimed that BlackCat operators stole a $22 million ransom, allegedly obtained after hacking the medical platform Change Healthcare.
#ALPHV scamming affiliates? $22M paid and withdrawn pic.twitter.com/0ocKoXNLme
— ?????? ?????????? (@ddd1ms) March 4, 2024
As evidence, they shared an address where 350 BTC were previously deposited, later withdrawn in equal parts to eight external wallets.
BlackCat has not commented on this claim.
Researchers Trick ChatGPT into Providing Bomb-Making Instructions
A group of researchers discovered a method to bypass LLM restrictions using ASCII characters.
In the first stage of the attack, researchers replaced all mentions of a banned term in the query with the word “mask.” They then generated an ASCII image of the stop word and sent it in the chat.
Next, the model was asked to replace “mask” in the query with the name of the depicted item and answer the question. The AI ignored all restrictions and provided a step-by-step guide.
The attack was tested on ChatGPT by OpenAI, Gemini by Google, Claude by Anthropic, and Llama2 by Meta. From ChatGPT, researchers received advice on counterfeiting money and its distribution, as well as instructions on bomb-making.
Ukrainian Intelligence Claims Hack of Russian Defense Ministry Website
On March 4, Ukraine’s GUR MO gained access to the servers of the Russian Ministry of Defense. Cyber specialists obtained software for information protection and encryption, as well as classified service documentation of the department.
Analysis of the obtained data helped identify the general staff and other senior leadership of the structural divisions of the Russian Ministry of Defense, according to GUR.
As of March 5, IP telephony, the official website of the department, and servers supporting the “Bureaucrat” electronic document management program were unavailable.
Russian Ministry of Internal Affairs Acquires Systems to Deanonymize Telegram Users
In 2023, regional offices of the Ministry of Internal Affairs in Chechnya, the Amur Region, and the Kamchatka Territory signed state contracts for the supply of the “Insider” system, which allows the use of leaked databases to deanonymize Telegram users. This was reported by journalist Andrey Zakharov.
Security forces and officials use leaked databases to deanonymize Telegram users. With budget money.
A few months ago, I reported a credible case where security forces used a Telegram bot with personal data to deanonymize a person on Telegram. They identified and…
— Andrey Zakharov (@skazal_on) March 6, 2024
“Insider” matches leaked phone numbers with messenger IDs, allowing security forces to discover names, addresses, workplaces, and other user information. It also enables keyword searches in public chats.
According to Zakharov, the “Insider” database currently contains over 76 million numbers. The module is part of a broader social media monitoring system, “Laplace’s Demon,” aimed at finding messages on specific topics.
In addition to security forces, the governments of the Pskov and Oryol regions have shown interest in the system. On average, one license costs 500,000 rubles.
Also on ForkLog:
- In Argentina, the founder of the Braiscompany pyramid was arrested.
- Lena Network denied a $2.9 million rug pull.
- Spain temporarily banned Worldcoin’s activities.
- DeFi platform WOOFi lost $8.75 million in an attack.
- The darknet marketplace Incognito Market is suspected of an exit scam.
- Facebook, Instagram, and several other social networks experienced outages.
- Binance reported issues with withdrawals.
- Tether announced a USDT recovery tool.
- In February, losses from hacks and scams in crypto projects decreased to $67 million.
What to Read Over the Weekend?
We discuss the first computer AI virus.