Sentinel Labs blog has provided the following stories: * Interpol-Led Operation Cracks Down on West African Cybercrime Syndicates - Operation Jackal III was a month-long law enforcement effort that involved 21 countries. This week, Interpol reported some 300 arrests, the identification of over 400 suspects, 720 blocked bank accounts, and the seizure of $3 million in illicit funds, all to dismantle multiple criminal networks globally. Among the affected crime syndicates, Black Axe has been a prominent plague in Africa and worldwide. Their operations span human trafficking, drug smuggling, violent crimes, and significant cases of cyber fraud where victims were forced to sell their homes as a result of the scams. Believed to have been in operation for decades, Black Axe is closely linked to business email compromise (BEC) schemes, ‘romance’ fraud, and other identity scams.
In Argentina, authorities took down a Nigerian-based transnational criminal infrastructure using millions in ‘supernotes,’ counterfeit banknotes of very high quality, to open bank accounts in various countries in South America. Portuguese authorities similarly dismantled another Nigerian group laundering funds from online scam victims across Europe. The data found on the seized devices revealed a mass network of cryptocurrency transactions indicative of a sophisticated money laundering operation.[1]
The financial fraud industry is a dangerous and extensive one in West Africa, highlighting the operation's success in reducing organized crime leaders' ability to develop and extend their reach. Cross-border collaboration continues to be instrumental in combating deep-rooted criminal networks. Interpol currently has 196 member countries and works with national police forces to exchange intelligence and provide real-time access to databases leading to more efficient arrests.
* Flaws in SAP AI Core Expose Sensitive Customer Data & Allow Service Takeovers - Cybersecurity researchers this week reported on five critical security flaws in SAP AI Core, a cloud-based platform for creating and deploying AI workflows, which could be exploited to access tokens and customer data. The flaws, dubbed “SAPwned,” could allow attackers to infiltrate customers’ data and contaminate internal artifacts, potentially spreading to other services and environments. Before being addressed by SAP, the flaws enabled unauthorized access to private artifacts and cloud credentials, including those for AWS, Microsoft Azure, and SAP HANA Cloud. They allowed modifications to Docker images on SAP’s internal and Google Container registries, making it possible to facilitate supply chain attacks on SAP AI Core services.
Attackers could also gain cluster administrator privileges on SAP AI Core’s Kubernetes cluster, leading to the theft of sensitive data such as AI models, datasets, and code and manipulation of AI data and models’ inference. The issues stem from inadequate isolation and sandboxing mechanisms, allowing malicious AI models and training procedures to run in shared environments.
Since AI infrastructures require access to vast amounts of customer data, AI service providers are lucrative targets for attack. As AI training continues to rise in popularity amongst organizations, so has their susceptibility to tenant isolation vulnerabilities – an equivalent to executing arbitrary code. These findings follow the emergence of a new cybercriminal threat group, NullBulge, which targets AI- and gaming-focused entities through software supply chain attacks. The rise in generative AI use has prompted companies to implement data loss prevention tools and other measures to mitigate risks. Groups like NullBulge illustrate the ongoing threat of low-barrier ransomware and infostealer infections now done through attacking unsecured AI workflows.
NullBulge ransom note configuration
FIN7 Sells Latest Version of EDR-Tampering Tool to Ransomware Operators on Dark Markets - The elusive and persistent Russia-linked threat group FIN7 uses multiple pseudonyms to mask its identity and develop its criminal operations across dark markets. In tandem, SentinelLabs has discovered a new version of a highly specialized and popular tool called AvNeutralizer (aka AuKill), which is being marketed in the criminal underground. This tool, initially developed by FIN7 to tamper with security solutions, can now leverage the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver) to disable endpoint solutions.
AV killer advertisement by ‘goodsoft’, Google translated from RU
FIN7 has been active since 2013. It was initially tied to financial fraud before expanding into ransomware, linking up with DarkSide, BlackMatter, and likely BlackCat. The financially motivated outfit is also known for its sophisticated phishing and social engineering attacks, most notably through its fake security company, Bastion Secure, which hired unwitting developers and pen-testers for later attack campaigns.
SentinelLabs reports that AuKill was first used in BlackBasta ransomware attacks in 2022. Since then, the tool has been used by several other ransomware operations, indicating widespread distribution. The latest version of the tool now utilizes the Windows ProcLaunchMon.sys driver to hang processes, ultimately leading to a denial of service condition.
Other than AuKill, the researchers identified additional custom tooling that is currently specific only to FIN7. Their arsenal includes Powertrash (a PowerShell backdoor), Diceloader (a lightweight backdoor), Core Impact (a commercial penetration testing toolkit), and an SSH-based backdoor.
SentinelLabs warns that FIN7’s continuous innovation in evading security measures and selling its tools poses a significant threat to enterprises globally. The group’s advanced techniques and collaboration with other cybercriminals complicate attribution, demonstrating their sophisticated operational strategies.
This article is shared at no charge and is for educational and informational purposes only.
We want to thank Sentinel Labs for these cyber segments. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-29-6/
Comments