{"id":11443,"date":"2024-03-09T07:00:00","date_gmt":"2024-03-09T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/russian-hackers-breach-microsoft-source-code-blackcats-exit-scam-and-other-cybersecurity-events\/"},"modified":"2024-03-09T07:00:00","modified_gmt":"2024-03-09T05:00:00","slug":"russian-hackers-breach-microsoft-source-code-blackcats-exit-scam-and-other-cybersecurity-events","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/russian-hackers-breach-microsoft-source-code-blackcats-exit-scam-and-other-cybersecurity-events\/","title":{"rendered":"Russian Hackers Breach Microsoft Source Code, BlackCat&#8217;s Exit Scam, and Other Cybersecurity Events"},"content":{"rendered":"<p>We have compiled the most important cybersecurity news of the week.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Microsoft reported Russian hackers accessed its source code repositories.<\/li>\n<li>The US imposed sanctions on operators of the Predator spyware.<\/li>\n<li>Media reports suggest the BlackCat ransomware gang executed an exit scam, blaming &#8220;the feds.&#8221;<\/li>\n<li>The Russian Ministry of Internal Affairs procured systems to deanonymize Telegram users.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>Microsoft Reports Russian Hackers Accessed Source Code Repositories<\/strong><\/h2>\n<p>The Russian hacker group Midnight Blizzard used certain &#8220;secrets&#8221; obtained from a <a href=\"https:\/\/u1f987.com\/en\/news\/major-data-breach-uncovered-trickbot-developer-sentenced-and-other-cybersecurity-events\">recent breach of Microsoft<\/a> to gain <a href=\"https:\/\/msrc.microsoft.com\/blog\/2024\/03\/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard\/\">further unauthorized access<\/a> to the company&#8217;s internal systems and source code repositories.<\/p>\n<p>The tech giant did not specify what information from corporate emails was used. Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code\/\">speculated<\/a> that it involved authentication tokens, <span data-descr=\"application programming interface\" class=\"old_tooltip\">API<\/span> keys, or credentials.<\/p>\n<p>Microsoft found no evidence of customer engagement systems being compromised.<\/p>\n<p>In a <span data-descr=\"US Securities and Exchange Commission\" class=\"old_tooltip\">SEC<\/span> <a href=\"https:\/\/www.sec.gov\/Archives\/edgar\/data\/789019\/000119312524062997\/d808756d8ka.htm\">filing<\/a>, the company announced enhanced security measures and improved intercorporate coordination.<\/p>\n<p>The investigation into the incident and notification of affected parties are ongoing.<\/p>\n<h2 class=\"wp-block-heading\"><strong>US Imposes Sanctions on Predator Spyware Operators<\/strong><\/h2>\n<p>The <span data-descr=\"Office of Foreign Assets Control of the US Treasury\" class=\"old_tooltip\">OFAC<\/span> <a href=\"https:\/\/home.treasury.gov\/news\/press-releases\/jy2155\">sanctioned<\/a> two individuals and five entities linked to the development and distribution of the commercial spyware Predator.<\/p>\n<p>The individuals include Tal Jonathan Dilian, an Israeli national and founder of the Intellexa Consortium, and Sara Alexandra Faisal Hamu, a Polish corporate law specialist.<\/p>\n<p>The companies include:<\/p>\n<ul class=\"wp-block-list\">\n<li>Cytrox AD (North Macedonia);<\/li>\n<li>Cytrox Holdings ZRT (Hungary);<\/li>\n<li>Intellexa Limited (Ireland);<\/li>\n<li>Intellexa S.A. (Greece);<\/li>\n<li>Thalestris Limited (Ireland).<\/li>\n<\/ul>\n<p>The US authorities accuse them of spying on Americans, including government officials, political experts, journalists, and tech company executives.<\/p>\n<p>All US assets of the sanctioned individuals and companies are frozen, and local citizens are prohibited from engaging in any transactions with them.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Media: BlackCat Ransomware Gang Executes Exit Scam, Blames &#8220;The Feds&#8221;<\/strong><\/h2>\n<p>Operators of the ALPHV (BlackCat) ransomware announced the project&#8217;s closure, allegedly due to the FBI seizing their infrastructure, reports <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds\/\">Bleeping Computer<\/a>.<\/p>\n<p>The hackers posted an old banner about server confiscation by law enforcement on their leak site and put the malware&#8217;s source code up for sale for $5 million.<\/p>\n<p>While the FBI declined to comment, Europol and the <span data-descr=\"National Crime Agency of the UK\" class=\"old_tooltip\">NCA<\/span> (also mentioned on the banner) stated they were not involved in any recent disruptions to BlackCat&#8217;s infrastructure.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I also reached out to contacts at Europol and the NCA, and neither of them had any idea what I was even talking about and declined any sort of involvement. So again, this is a poor attempt by ALPHV\/BlackCat to hide their exit scam. Don&#8217;t fall for it.<\/p>\n<p>\u2014 Fabian Wosar (@fwosar) <a href=\"https:\/\/twitter.com\/fwosar\/status\/1765012408752378104?ref_src=twsrc%5Etfw\">March 5, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Rumors of a possible exit scam emerged amid the shutdown of the leak site and negotiation servers. Additionally, a member of one of the gang&#8217;s affiliates claimed that BlackCat operators stole a $22 million ransom, allegedly obtained after hacking the medical platform Change Healthcare.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/ALPHV?src=hash&#038;ref_src=twsrc%5Etfw\">#ALPHV<\/a> scamming affiliates? $22M paid and withdrawn <a href=\"https:\/\/t.co\/0ocKoXNLme\">pic.twitter.com\/0ocKoXNLme<\/a><\/p>\n<p>\u2014 ?????? ?????????? (@ddd1ms) <a href=\"https:\/\/twitter.com\/ddd1ms\/status\/1764639254016102410?ref_src=twsrc%5Etfw\">March 4, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>As evidence, they shared an <a href=\"https:\/\/www.blockchain.com\/explorer\/addresses\/btc\/14Q5xgBHAkWxDVrnHautcm4PPGmy5cfw6b\">address<\/a> where 350 BTC were previously deposited, later withdrawn in equal parts to eight external wallets.<\/p>\n<p>BlackCat has not commented on this claim.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Researchers Trick ChatGPT into Providing Bomb-Making Instructions<\/strong><\/h2>\n<p>A group of researchers <a href=\"https:\/\/arxiv.org\/abs\/2402.11753\">discovered a method<\/a> to bypass <span data-descr=\"large language models\" class=\"old_tooltip\">LLM<\/span> restrictions using ASCII characters.<\/p>\n<p>In the first stage of the attack, researchers replaced all mentions of a banned term in the query with the word &#8220;mask.&#8221; They then generated an ASCII image of the stop word and sent it in the chat.<\/p>\n<p>Next, the model was asked to replace &#8220;mask&#8221; in the query with the name of the depicted item and answer the question. The AI ignored all restrictions and provided a step-by-step guide.<\/p>\n<p>The attack was tested on ChatGPT by OpenAI, Gemini by Google, Claude by Anthropic, and Llama2 by Meta. From ChatGPT, researchers received advice on counterfeiting money and its distribution, as well as instructions on bomb-making.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Ukrainian Intelligence Claims Hack of Russian Defense Ministry Website<\/strong><\/h2>\n<p>On March 4, Ukraine&#8217;s <span data-descr=\"Main Intelligence Directorate of the Ministry of Defense\" class=\"old_tooltip\">GUR MO<\/span> <a href=\"https:\/\/gur.gov.ua\/content\/soft-shyfry-sekretni-dokumenty-kiberfakhivtsi-hur-zlamaly-minoborony-rosii.html\">gained access<\/a> to the servers of the Russian Ministry of Defense. Cyber specialists obtained software for information protection and encryption, as well as classified service documentation of the department.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/7XfvQpUZcB0wu-sfNVpxuAgsjEMUlELmnkul98pmfLQZSIi6cQ5zxE-8fJi3cX-l8oqpLPIEEOnuKcr-5Q4x1gQpT_2Ru_y9B9s65Y6To9GB_zrXzUmVAcSkpn823aLBqAoF-yvuNzWfF0te2iRNuZU\" alt=\"Russian Hackers Breach Microsoft Source Code, BlackCat's Exit Scam, and Other Cybersecurity Events\"\/><figcaption class=\"wp-element-caption\">Data: GUR MO Ukraine.<\/figcaption><\/figure>\n<p>Analysis of the obtained data helped identify the general staff and other senior leadership of the structural divisions of the Russian Ministry of Defense, according to GUR.<\/p>\n<p>As of <a href=\"https:\/\/gur.gov.ua\/content\/naslidky-kiberoperatsii-hur-sait-minoborony-rf-dosi-lezhyt.html\">March 5<\/a>, IP telephony, the official website of the department, and servers supporting the &#8220;Bureaucrat&#8221; electronic document management program were unavailable.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Russian Ministry of Internal Affairs Acquires Systems to Deanonymize Telegram Users<\/strong><\/h2>\n<p>In 2023, regional offices of the Ministry of Internal Affairs in Chechnya, the Amur Region, and the Kamchatka Territory signed state contracts for the supply of the &#8220;Insider&#8221; system, which allows the use of leaked databases to deanonymize Telegram users. This was reported by journalist Andrey Zakharov.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"ru\" dir=\"ltr\">Security forces and officials use leaked databases to deanonymize Telegram users. With budget money.<\/p>\n<p>A few months ago, I reported a credible case where security forces used a Telegram bot with personal data to deanonymize a person on Telegram. They identified and\u2026<\/p>\n<p>\u2014 Andrey Zakharov (@skazal_on) <a href=\"https:\/\/twitter.com\/skazal_on\/status\/1765302168247034306?ref_src=twsrc%5Etfw\">March 6, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>&#8220;Insider&#8221; matches leaked phone numbers with messenger IDs, allowing security forces to discover names, addresses, workplaces, and other user information. It also enables keyword searches in public chats.<\/p>\n<p>According to Zakharov, the &#8220;Insider&#8221; database currently contains over 76 million numbers. The module is part of a broader social media monitoring system, &#8220;Laplace&#8217;s Demon,&#8221; aimed at finding messages on specific topics.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-eu.googleusercontent.com\/WKdTj5dKwLOcxGv1G01TRWP3hs9vk1IcHlToozp_oErlMeA7SQfaHzvK_6Uwy4P92aCM0cLytsB_WOeth97LvjTwTdg1i6bjraFHMYY43LOW0IRNtYGZFZWnFv2QMzXb-Sf6rm5xyNufqf3B6roSwgg\" alt=\"Russian Hackers Breach Microsoft Source Code, BlackCat's Exit Scam, and Other Cybersecurity Events\"\/><figcaption class=\"wp-element-caption\">Fragment of the contract for the supply of &#8220;Laplace&#8217;s Demon&#8221; to the Ministry of Internal Affairs in Chechnya. Data: Andrey Zakharov&#8217;s blog.<\/figcaption><\/figure>\n<p>In addition to security forces, the governments of the Pskov and Oryol regions have shown interest in the system. On average, one license costs 500,000 rubles.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>In Argentina, the founder of the Braiscompany pyramid was arrested.<\/li>\n<li>Lena Network denied a $2.9 million rug pull.<\/li>\n<li>Spain temporarily banned Worldcoin&#8217;s activities.<\/li>\n<li>DeFi platform WOOFi lost $8.75 million in an attack.<\/li>\n<li>The darknet marketplace Incognito Market is suspected of an exit scam.<\/li>\n<li>Facebook, Instagram, and several other social networks experienced outages.<\/li>\n<li>Binance reported issues with withdrawals.<\/li>\n<li>Tether announced a USDT recovery tool.<\/li>\n<li>In February, losses from hacks and scams in crypto projects decreased to $67 million.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to Read Over the Weekend?<\/strong><\/h2>\n<p>We discuss the first computer AI virus.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have compiled the most important cybersecurity news of the week. Microsoft reported Russian hackers accessed its source code repositories. The US imposed sanctions on operators of the Predator spyware. Media reports suggest the BlackCat ransomware gang executed an exit scam, blaming &#8220;the feds.&#8221; The Russian Ministry of Internal Affairs procured systems to deanonymize Telegram [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":11442,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-11443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"18","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/11443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=11443"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/11443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/11442"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=11443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=11443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=11443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}