Today’s Topics:
- Microsoft Uncovers Cybercriminal Network Behind AI Abuse Scheme
- Chinese APT Exploits VPN Vulnerability to Infiltrate Global OT Organizations
- How can Netizen help?
Microsoft Uncovers Cybercriminal Network Behind AI Abuse Scheme
Microsoft has identified and exposed a cybercrime network responsible for illicitly accessing and manipulating Azure OpenAI services to generate harmful content. The operation, dubbed LLMjacking, involves cybercriminals who hijacked API keys and exploited stolen credentials to bypass AI safety mechanisms, ultimately selling unauthorized access to malicious actors.
Microsoft has been tracking this cybercrime operation under the name Storm-2139, revealing that the group accessed AI services through compromised credentials scraped from public sources. The actors modified the capabilities of Microsoft’s Azure OpenAI services and resold access, providing customers with tools and instructions to generate illicit content, including non-consensual intimate images and other harmful synthetic media.
This discovery comes as part of an ongoing legal battle against AI abuse, with Microsoft securing a court order to take down aitism[.]net, a website central to the group’s operations. The company is pursuing legal action against multiple individuals involved in the scheme.
Microsoft named four individuals linked to Storm-2139, spanning multiple countries:
- Arian Yadegarnia (“Fiz”) – Iran
- Alan Krysiak (“Drago”) – United Kingdom
- Ricky Yuen (“cg-dot”) – Hong Kong, China
- Phát Phùng Tấn (“Asakuri”) – Vietnam
Additionally, Microsoft has identified two individuals based in the U.S., withholding their identities due to ongoing criminal investigations. The network consists of creators who develop AI abuse tools, providers who distribute and modify them, and end users who exploit AI for malicious purposes.
Several other unnamed individuals across the U.S., Europe, Russia, Turkey, and Latin America have also been linked to the operation.
Microsoft’s Digital Crimes Unit (DCU) continues to collaborate with law enforcement and regulatory bodies to combat AI abuse. The exposure of Storm-2139 serves as a warning to cybercriminals attempting to weaponize AI for illegal purposes.
As AI technology evolves, organizations must prioritize security measures to prevent unauthorized access, ensure compliance with usage policies, and mitigate the risks associated with AI-driven cybercrime.
Chinese APT Exploits VPN Vulnerability to Infiltrate Global OT Organizations
A Chinese state-sponsored hacking group has been exploiting a vulnerability in Check Point’s security gateways to breach operational technology (OT) organizations worldwide. The cyber espionage campaign, attributed with low confidence to APT41 (also known as Winnti), has primarily targeted supply chain manufacturers in the aerospace and aviation sectors.
The attackers leveraged CVE-2024-24919, a high-severity path traversal vulnerability in Check Point security gateways. This flaw, disclosed and patched in May 2024, allows unauthenticated attackers to access restricted files and extract password hashes. Once decrypted, these credentials enable full control over affected systems, allowing the threat actors to move laterally across networks and escalate privileges.
Check Point researchers observed that the hackers installed the modular ShadowPad backdoor after gaining access. While there was no evidence of disruptive activity, the primary goal appears to be exfiltrating intellectual property from high-value OT organizations.
The campaign has impacted dozens of organizations across the U.S., Latin America, Europe, the Middle East, and Africa. Notably, 20% of identified victims were based in Mexico. Many of the targeted companies supply critical aerospace and aviation manufacturers, making them attractive targets for espionage.
However, the attackers did not limit themselves to a single industry. Utilities, finance companies in Africa, and smaller OT organizations were also compromised. Some of these may have been secondary targets, exploited as stepping stones to gain access to more valuable networks.
While large manufacturers are often assumed to be primary targets, Check Point researchers found that many victims were small businesses with limited cybersecurity resources. These companies often lack dedicated security personnel and may rely on a single IT employee to handle security, infrastructure, and other responsibilities.
As a result, many small OT organizations fail to apply patches promptly, making them easy targets for advanced persistent threats (APTs). The attackers capitalize on these weaknesses, gaining footholds in supply chains that connect to larger, more secure entities.
The breach highlights the urgent need for better cybersecurity measures within OT environments, particularly among smaller manufacturers. Organizations using Check Point security gateways should ensure they have applied the latest patches and monitor for indicators of compromise (IoCs).
Additionally, OT organizations must adopt proactive security practices, including network segmentation, regular vulnerability assessments, and endpoint detection and response (EDR) solutions to detect and prevent lateral movement within compromised networks.
As advanced threat actors continue to exploit known vulnerabilities, organizations—large and small—must prioritize security hygiene to mitigate the risk of cyber espionage.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
