Apr 12, 2024NewsroomCyber Attack / Data Breach

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft’s systems that led to the theft of email correspondence with the company.

The attack, which came to light earlier this year, has been attributed to a Russian nation-state group tracked as Midnight Blizzard (aka APT29 or Cozy Bear). Last month, Microsoft revealed that the adversary managed to access some of its source code repositories but noted that there is no evidence of a breach of customer-facing systems.

The emergency directive, which was originally issued privately to federal agencies on April 2, was first reported on by CyberScoop two days later.

“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said.

The agency said the theft of email correspondence between government entities and Microsoft poses severe risks, urging concerned parties to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.

It’s currently not clear how many federal agencies have had their email exchanges exfiltrated in the wake of the incident, although CISA said all of them have been notified.

The agency is also urging affected entities to perform a cybersecurity impact analysis by April 30, 2024, and provide a status update by May 1, 2024, 11:59 p.m. Other organizations that are impacted by the breach are advised to contact their respective Microsoft account team for any additional questions or follow up.

“Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multi-factor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels,” CISA said.

The development comes as CISA released a new version of its malware analysis system, called Malware Next-Gen, that allows organizations to submit malware samples (anonymously or otherwise) and other suspicious artifacts for analysis.

Mar 14, 2024NewsroomRansomware / Cyber Crime

A 34-year-old Russian-Canadian national has been sentenced to nearly four years in jail in Canada for his participation in the LockBit global ransomware operation.

Mikhail Vasiliev, an Ontario resident, was originally arrested in November 2022 and charged by the U.S. Department of Justice (DoJ) with “conspiring with others to intentionally damage protected computers and to transmit ransom demands in connection with doing so.”

News of Vasiliev’s jail term was first reported by CTV News.

The defendant, who had his home searched by Canadian law enforcement authorities in August and October 2022, is said to have kept a list of “prospective or historical” victims and screenshots of communications exchanged with “LockBitSupp” on the Tox messaging platform.

The raid also uncovered a text file with instructions to deploy LockBit ransomware, the ransomware source code, and a control panel used by the e-crime group to deliver the file-locking malware.

Vasiliev, according to CTV News, pleaded guilty to eight counts of cyber extortion, mischief, and weapons charges last month. During the sentencing, he was characterized by Justice Michelle Fuerst as a “cyber terrorist” who was “motivated by his own greed.”

He is believed to have become a cyber criminal while at home during the COVID-19 pandemic, attempting to seek ransom payments from three Canadian companies between 2021 and 2022 by stealing their data and holding it hostage.

Vasiliev, who has consented to being extradited to the U.S., has also been ordered to pay back more than $860,000 in restitution.

One of the most prolific ransomware groups in history, LockBit suffered a huge blow in February 2024, when its infrastructure was seized in a coordinated law enforcement operation. The disruption was accompanied by arrests of three LockBit affiliates in Poland and Ukraine.

Although the group reemerged with a new data leak site, there is evidence to suggest that the new victims being listed are either old or fake, designed to give an impression that the group is back up and running.

The development arrives as a federal jury in Washington, D.C., convicted Roman Sterlingov, a dual Russian-Swedish national, for his operation of Bitcoin Fog from 2011 through 2021, facilitating the laundering of profits made from the sale of illegal narcotics, computer crimes, stolen identities, and child sexual abuse material.

Ilya Lichtenstein, who pleaded guilty in August 2023 to the theft of about 120,000 bitcoin in connection to the hack of the Bitfinex cryptocurrency exchange, testified last month how he had used Bitcoin Fog 10 times to launder the virtual assets, Bloomberg reported.

“Bitcoin Fog was the longest-running cryptocurrency ‘mixer,’ gaining notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement,” the DoJ said.

“Over the course of its decade-long operation, Bitcoin Fog moved over 1.2 million bitcoin, which was valued at approximately $400 million at the time of the transactions.”