Leaked chat logs reveal Black Basta Ransomware Group's inner workings, , a massive cyber attack targets VPN devices using 2. 1 million IPs, Ontario's RCMP dismantles major cyber fraud operations, and the Indiana Jones jailbreak this is cybersecurity today, and I'm your host, Jim Love. A significant leak of internal communications.
Has exposed the clandestine operations of the Black Basta Ransomware Group, offering an unprecedented look into the strategies and internal dynamics of this cybercriminal organization. The leaked data comprises approximately 200,000 Russian language messages exchanged between September. 23 and September 2024. These messages were released by an individual using the pseudonym Exploit Whispers, who claimed the disclosure was in retaliation for Black Basta's attacks on Russian banking institutions.
The logs provided detailed insights into the group's operational methods, including their use of malicious scripts, exploitation of Remote Desktop Protocol, or RDP, and Virtual Private Networks, VPN services, for unauthorized access and social engineering tactics, such as impersonating IT departments to deceive employees. The internal communications also reveal the significant discord within Black Bastia.
Members frequently engaged in disputes over operational strategies, compensation, and leadership decisions. Notably, the group's leader known by aliases such as Trump faced criticism for unilateral decision making and financial misconduct. The leader's decision to go after a Russian bank was widely criticized and hence led to this leak. One member described him bluntly. He's an idiot of course. This internal turmoil appears to have impacted the group's activities.
Reports indicate that Black Basta has been largely inactive since the beginning of 2025, with internal conflicts and technical challenges contributing to their decline. Some operators reported defrauding victims by accepting ransomware payments without providing functional decryption tools, further eroding trust within the cyber criminal community.
To help facilitate analysis of the leaked data, threat intelligence firm Hudson Rock has developed BlackBastaGPT, an AI chatbot that allows researchers to query the internal chats. The tool enables users to delve into the group's operations, tactics, financial transactions, and internal issues. I haven't had a lot of time to play with it yet, but it did answer a question about the dumbest things that anyone in the group had said.
For cyber security professionals, this leak offers valuable intelligence on the operational tactics and vulnerabilities of ransomware groups like Black Basta. A colossal cyber attack is currently underway with attackers employing approximately 2. 8 million unique IP addresses to breach virtual private network devices or other networking hardware. This large scale brute force attack aims to compromise devices from prominent vendors such as Palo Alto Networks, Ivanti and SonicWall.
The Shadow Server Foundation. A threat monitoring organization reports that this campaign has been active since January of 2025. The attackers are primarily utilizing compromised routers and Internet of Things devices, including those from MikroTik, Huawei, Cisco, BOA, and ZTE to execute the attacks. These devices have likely been infected with malware or accessed due to weak passwords.
Notably, a significant portion of the malicious IP addresses originate from Brazil with additional sources in Turkey, Russia, Argentina, Morocco, and Mexico. As most of you know, brute force attacks involve systematically attempting numerous username and password combinations to gain unauthorized access. But the scale and automation of the attack is huge and suggests the involvement of a vast botnet or residential proxy network complicating efforts to identify and block malicious IPs.
Founder of SustainedCyber emphasized the severity. A brute force attack with 2. 8 million IPs is next level. If attackers crack VPN credentials, they get direct access to corporate networks. It's not something to take lightly. The implications of this attack are profound. Compromised VPNs and security appliances can serve as gateways for further network infiltration, data theft, or deployment of additional malware. If you haven't done a review of your VPN and other devices, it may be time.
And while I like to think I know a little bit about this, I'll welcome suggestions from our listeners on what we do about attacks of this nature. In a significant crackdown, the Royal Canadian Mounted Police in Ontario have arrested two Toronto residents accused of defrauding hundreds of people out of millions of dollars.
The suspects allegedly employed sophisticated technology to impersonate officials from banks, government agencies, and law enforcement deceiving victims into surrendering their savings. iSpoof. cc was a website used by as many as 38, 000 subscribers worldwide to make unauthorized phone calls while displaying a caller ID falsely indicating they were legitimate callers.
This particular technology allowed criminals to purchase subscriptions in order to use the service to impersonate trusted corporations. The Toronto couple is believed to be among the top 50 most active subscribers in the world. The RCMP cyber crime investigative team executed search warrants at the suspect's residence, seizing numerous electronic devices, preliminary findings indicate at least 570 victims in Canada with expectations of uncovering more as the investigation progresses.
The fraudulent activities involved various spoofing, phishing, and smishing tactics. The accused, Chakib Mansuri and Manjuli Alua, faced multiple charges including fraud, unauthorized computer use, laundering proceeds of crime, unauthorized possession of credit card data, and possession of proceeds of crime. They were remanded into custody and appeared in court on February 21st, 2025. This operation underscores the importance of international collaboration in combating cybercrime.
The RCMP should get great credit for this, but they worked closely with agencies such as London Metropolitan Police, Dutch National Police, Europol, Eurojust, the Toronto Police, and Peel Regional Police. Inspector Lena Dobbit of the RCMP Cybercrime Investigative Team emphasized the devastating effect of such crimes on communities and urged Canadians to educate themselves on cyber safety.
In 2024, the Canadian Anti-Fraud Center received 49,432 reports accounting for 34,621 victims who collectively lost $638 million. And once again, the average number of these that go reported is about 10% of the total crimes that are out there. Canadians are encouraged to report suspicious fraud to the Canadian Anti Fraud Center. Their number will be in the show notes. You can write it down if you get a second.
1 888 495 8501 Researchers have unveiled a dialogue tool dubbed Indiana Jones that exposes significant vulnerabilities in large language models, like chat, GPT, and others, this technique can bypass built in safety filters, prompting these AI systems to produce content they are designed to restrict Developed by a team from the University of New South Wales and Nanyang Technological University, , Indiana Jones orchestrates interactions among three specialized LLMs.
By using historical figures as their starting point, they are able to fool all three models and bypass their controls. One of the senior authors of the paper said, our team has a fascination with history and some of us even study it deeply. During a casual discussion about infamous historical villains, we wondered, could LLMs be coaxed into teaching users how they became these figures?
Our curiosity led us to put this to the test, and we discovered that LLMs could indeed be jailbroken in this way. Their system guides the models through five rounds of dialogue, extracting information that should remain inaccessible. For example, entering bank robber prompts discussions about historical figures, gradually refining details until they align with modern contexts. The approach highlights a critical issue.
LLMs contain knowledge about malicious activities that can be extracted with the right prompt. As one of the researchers said, the key insights from our study is that successful jailbreak attacks exploit the fact that LLMs possess knowledge of malicious activities, knowledge they arguably shouldn't have learned in the first place. So this presents a challenge and an opportunity.
For commercial uses, perhaps smaller expert models that have more limited training sets can circumvent at least part of the risk. But in larger public models, Who gets to decide what we should and shouldn't be allowed to know about? Whether it's the Chinese removing Tiananmen Square or American governments telling me that transgender people don't exist, who do you trust as the guardian of truth?
Nevertheless, the Indiana Jones method demonstrates that despite efforts to put guardrails around AI models to keep them from executing malicious commands, they are far too easy to circumvent. And that's our show. You can reach me at editorial at technewsday. ca or on LinkedIn, or if you're watching this on YouTube, just leave me a comment under the video. I'm your host, Jim Love. Thanks for listening.