In a recent study conducted by SentinelOne, it was unveiled that a threat group known as NullBulge has been carrying out financially motivated attacks on the software supply chain under the guise of hacktivism. The research, authored by SentinelLabs, sheds light on this emerging threat actor and their malicious activities targeting AI- and gaming-focused entities through various means.
According to Jim Walter, a senior threat researcher at SentinelOne, NullBulge has been actively targeting organizations in the AI and gaming sectors by weaponizing code in publicly available repositories on platforms like GitHub and Hugging Face. By luring victims to import malicious libraries or through mod packs used in gaming and modeling software, NullBulge has successfully infiltrated various systems and networks.
The group, which first surfaced as early as April, presents itself as an anti-AI, pro-artist activist entity. However, despite their hacktivist persona, SentinelLabs’ research has uncovered evidence suggesting that NullBulge’s activities are primarily driven by financial motives. The group has been found to sell infostealer logs and OpenAI API keys on hacker forums, indicating a profit-driven agenda behind their actions.
Furthermore, NullBulge’s targets have not been limited to AI-related organizations. The group has also attacked religious entities such as the Fellowship of Companies for Christ International and How We Love, showcasing a broader scope of their malicious activities. This suggests that NullBulge has leveraged its hacktivist identity as a means to further their economic interests rather than purely ideological reasons.
SentinelOne has categorized NullBulge’s tactics as “poisoning the well,” emphasizing their strategy of injecting malicious code into legitimate software distribution channels to maximize their impact. The group exploits trusted platforms like GitHub, Reddit, and Hugging Face to reach a broader audience and carry out their attacks effectively. Additionally, NullBulge utilizes customized LockBit ransomware builds to enhance the severity of their assaults.
Recent incidents involving NullBulge include supply chain attacks targeting AI tools and platforms, such as the compromise of a ComfyUI extension on GitHub named LLM Vision. The group deploys Python-based payloads within seemingly legitimate software repositories to extract data from unsuspecting users, highlighting the sophistication and danger posed by their operations.
Despite employing custom LockBit builds and focusing on supply chain-related threats, NullBulge is considered a “low-sophistication actor” by SentinelOne’s research. This characterization stems from the group’s reliance on commodity malware and ransomware, using techniques that are relatively simple to execute but nonetheless effective in causing harm.
In conclusion, NullBulge represents a shift towards more accessible ransomware attacks, targeting a niche market of AI-centric games and applications. Their methods of deploying malicious code and harvesting data underscore the evolving landscape of cybersecurity threats, particularly within emerging sectors vulnerable to such attacks. As groups like NullBulge continue to pose a threat, organizations must remain vigilant and implement robust security measures to safeguard against potential breaches and data theft.
As the threat landscape evolves, it is imperative for cybersecurity professionals and businesses to stay ahead of emerging threats and take proactive steps to defend against malicious actors like NullBulge. By understanding their tactics and motives, organizations can better equip themselves to mitigate risks and protect their valuable data and assets from cyberattacks.