CyberWire Daily - No more spinach for PopeyeTools.
Episode Date: November 21, 2024The feds take down the PopeyeTools cybercrime market. Five alleged Scattered Spider members have been charged. CISA warns of critical vulnerabilities in VMware’s vCenter Server. Global AI experts ...convene to discuss safety. MITRE updates its list of Top 25 Most Dangerous Software Weaknesses. US and Australian agencies warn critical infrastructure organizations about evolving tactics by the BianLian ransomware group. A new report looks at rising threats to the U.S. manufacturing industry. Researchers at ESET uncover the WolfsBane Linux backdoor. A pair of malicious Python packages impersonating ChatGPT went undetected for over a year. A data breach at a French hospital compromised the medical records of 750,000 patients. On our Industry Voices segment, guest Avihai Ben-Yossef, Cymulate’s Co-Founder and CTO, joins us to discuss "The Evolution and Outlook of Exposure Management." AI Pimping is the scourge of Instagram. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, guest Avihai Ben-Yossef, Cymulate’s Co-Founder and CTO, joins us to discuss "The Evolution and Outlook of Exposure Management." Resources: Security Validation Essentials Hertz Israel Reduced Cyber Risk by 81% within 4 Months with Cymulate SecOps Roundtable: Security Validation and the Path to Exposure Management Double Agent: Exploiting Pass-through Authentication Credential Validation in Azure AD Selected Reading US seizes PopeyeTools cybercrime marketplace, charges administrators (Bleeping Computer) Five Charged in Scattered Spider Case (Infosecurity Magazine) CISA Warns of VMware VCenter Vulnerabilities Actively Exploited in Attacks (Cyber Security News) US Gathers Allies to Talk AI Safety as Trump’s Vow to Undo Biden’s AI Policy Overshadows Their Work (SecurityWeek) MITRE Updates List of 25 Most Dangerous Software Vulnerabilities (SecurityWeek) BianLian Ransomware Group Adopts New Tactics, Posing Significant Risk (Infosecurity Magazine) Manufacturing Sector Under Siege: Industry Faces Wave of Advanced Email Attacks (Abnormal Security) Gelsemium APT Hackers Attacking Linux Servers With New WolfsBane Malware (Cyber Security News) Two PyPi Malicious Package Mimic ChatGPT & Claude Steals Developers Data (GB Hackers) Cyberattack at French hospital exposes health data of 750,000 patients (Bleeping Computer) Inside the Booming 'AI Pimping' Industry (404 Media) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
The feds take down the Popeye Tools cybercrime market.
Five alleged scattered spider members have been charged.
CISA warns of critical vulnerabilities in VMware's vCenter server.
Global AI experts convene to discuss safety.
MITRE updates its list of top 25 most dangerous software weaknesses.
U.S. and Australian agencies warn critical infrastructure organizations
about evolving tactics
by the Biennian ransomware group.
A new report looks at rising threats
to the U.S. manufacturing industry.
Researchers at ESET uncover
the Wolfsbane Linux backdoor.
A pair of malicious Python packages
impersonating ChatGPT
went undetected for over a year.
A data breach at a French hospital compromises the medical records of 750,000 patients.
On our Industry Voices segment, our guest Avihai Ben-Yosef, Simulate's co-founder and CTO,
joins us to discuss the evolution and outlook of exposure management.
And AI pimping is the scourge of Instagram.
It's Thursday, November 21st, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. The U.S. has shut down the cybercrime marketplace Popeye Tools and unsealed charges
against its administrators, Abdul Ghaffar, Abdul Sami, and Javed Mirza. The platform,
active since 2016, facilitated cybercrimes by selling stolen financial and personal data,
tools for fraud, and educational materials on cyberattacks. Authorities seized $283,000
in cryptocurrency tied to illicit operations and multiple domains,
including PopeyeTools.com. Popeye Tools served thousands of users worldwide, generating an
estimated $1.7 million in revenue from stolen data belonging to over 227,000 individuals.
Its offerings included payment card data, bank account details,
phishing tools, and scam templates priced as low as $30 per card. The platform even provided
refund policies to maintain customer loyalty. The administrators based in Pakistan and Afghanistan
face charges carrying up to 10 years in prison, though no arrests have been made.
Visitors to the seized domains now see a law enforcement notice.
Five individuals, four Americans, and one Brit have been charged for their role in corporate
data breaches and SIM swap-enabled cryptocurrency thefts.
Allegedly part of the hacking group Scattered Spider, also known as Octotempest,
the group targeted companies like Caesars Entertainment and MGM Resorts,
often collaborating with the Black Cat Alpha ransomware gang. From 2021 to 2023, they conducted phishing campaigns,
tricking employees into revealing credentials by impersonating IT staff
or sending fake password reset messages.
These stolen credentials allowed access to sensitive corporate data,
including personal and proprietary information.
The group also carried out SIM swap attacks to gain control of victims' phone numbers
and cryptocurrency wallets,
stealing millions in virtual currency.
The defendants faced charges including wire fraud conspiracy, aggravated identity theft, and other crimes.
CISA has issued a critical alert about two vulnerabilities in VMware's vCenter server.
two vulnerabilities in VMware's vCenter server.
The first is a heap-based buffer overflow,
and the second is a privilege escalation flaw.
Both vulnerabilities allow attackers with network access to execute remote code or gain root-level privileges,
posing severe risks to virtualized environments.
VMware has released updates and mitigations
with a remediation
deadline from CISA of December 11th of this year. Organizations are urged to act promptly to avoid
significant security breaches given vCenter servers' critical role in managing infrastructure.
President-elect Donald Trump has vowed to repeal President Joe Biden's AI executive order,
though specifics remain unclear. Meanwhile, global experts convened in San Francisco this week to
discuss AI safety, focusing on combating deepfakes and fostering international collaboration.
U.S. Commerce Secretary Gina Raimondo emphasized that safety promotes innovation and global trust in AI.
The Biden administration's AI Safety Institute has gained support from tech giants like Amazon and Microsoft, advocating voluntary standards over regulation.
While Trump criticizes Biden's approach, his AI policies during his presidency also prioritize trustworthy AI, indicating some continuity in strategy.
Experts believe AI safety efforts will likely persist regardless of leadership changes.
Raimondo stressed that AI safety transcends politics, underscoring the importance of
preventing AI misuse by malicious actors
while fostering responsible innovation globally.
MITRE has updated its CWE Top 25 Most Dangerous Software Weaknesses list,
highlighting trends in software vulnerabilities. Cross-site scripting now tops the list, followed by out-of-bounds write
and SQL injection vulnerabilities. Other issues like CSRF path traversal and missing authorization
rose in ranking, while flaws like incorrect default permissions and race conditions dropped off.
New entries include exposure of sensitive information and uncontrolled resource
consumption. CISA and MITRE urge organizations to adopt secure by design practices and integrate
the CWE Top 25 into security processes to reduce vulnerabilities and enhance resilience.
U.S. and Australian agencies have warned critical infrastructure organizations
about evolving tactics by the Biennian Ransomware Group. Active since 2022, Biennian has shifted
from double extortion tactics to solely exfiltration-based extortion, threatening to
leak stolen data if ransoms aren't paid. The group, likely based in Russia, uses advanced techniques for initial access,
persistence, and defense evasion, including exploiting public-facing applications,
renaming binaries to evade detection, and exfiltrating data via FTP, Rclone, and Mega.
Biennialian's targets include U.S. critical infrastructure and Australian private enterprises, with recent
attacks leveraging proxy shell exploits and NGROC for command and control.
The FBI, CISA, and Australian Cybersecurity Center recommend measures like auditing remote
access tools, restricting RDP use, limiting power shell access, and implementing application controls to mitigate risks.
Organizations are urged to act swiftly to prevent breaches and data theft.
The U.S. manufacturing industry, vital to the economy, faces rising cyber threats as it modernizes operations.
A report from Abnormal Security notes that
ransomware and advanced email attacks have surged, with phishing incidents increasing by 83%
and business email compromise attacks growing 56% between September of 2023 and 2024.
BEC schemes often exploit urgency to deceive employees, while vendor email compromise
attacks, up 24%, trick victims into paying fraudulent invoices. High-profile attacks,
such as Clorox's $356 million loss from a ransomware incident and Orion's $60 million
stolen in fraudulent transfers, highlight the financial and operational risks.
Attackers increasingly leverage AI to craft convincing emails,
bypassing traditional defenses.
Experts recommend adopting AI-driven email security solutions
to detect anomalies and block advanced threats,
safeguarding manufacturers' operations and supply chains
against costly disruptions.
Researchers at ESET uncovered Wolfsbane, a Linux backdoor attributed to the Gelsimium APT group,
marking their first known Linux malware use.
Wolfsbane, a counterpart to Gelsimium's Windows-based Gelsavirine malware, is designed for cyber espionage, targeting sensitive data, maintaining persistence, and evading detection.
Its advanced features include custom libraries for stealthy network communication and sophisticated command execution.
Alongside Wolfsbane, researchers found Firewood, another Linux backdoor with possible ties to
Galsimium. This highlights a growing APT focus on Linux systems as attackers adapt to improved
Windows defenses and the rise of Linux-based infrastructures. Organizations must strengthen
cross-platform security strategies to counter these evolving threats.
must strengthen cross-platform security strategies to counter these evolving threats.
Two malicious Python packages impersonating tools for interacting with ChatGPT and Claude were discovered on PyPy, remaining undetected for over a year.
Targeting developers eager to integrate AI tools, the packages mimicked legitimate libraries while embedding scripts to
exfiltrate sensitive data, including API keys and credentials. This incident highlights the
risks in open-source ecosystems and the challenges of securing repositories like PyPy. Developers
are urged to audit dependencies, verify package authenticity, and adopt best practices to protect against these
sorts of threats. A data breach at a French hospital compromised the medical records of
750,000 patients, exposing sensitive details like names, birthdates, addresses, and medical histories.
The attacker, known as NIRS, claimed access to over 1.5 million patient records across
multiple French hospitals through a compromised Metaboard account. Softway Medical Group,
the provider of Metaboard software, clarified that the breach resulted from stolen credentials,
not software vulnerabilities. The attacker is selling access to MetaBoard accounts for several
hospitals, including sensitive healthcare and billing information and patient record
modification capabilities. While the exposed data hasn't been sold yet, it could be leaked online,
increasing risks of phishing and social engineering. The affected hospitals belong
to Aleo Sante,
suggesting a single privileged
account breach
led to widespread access.
Softway emphasized
the attack exploited
standard software functionality,
not errors in implementation.
Coming up after the break,
my conversation with Avihai Ben-Yosef from Simulate.
We're discussing the evolution and outlook of exposure management and AI pimping is the scourge of Instagram.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Avi, hi. Ben Yosef is the co-founder and CTO at Simulate.
In today's sponsored Industry Voices segment,
we discuss the evolution and outlook of exposure management.
So today we're talking about exposure management,
the evolution and outlook when it comes to that.
How do you describe what exactly exposure management is?
Well, I would like to even start with kind of even expanding on those two words, which is, I think, like even the Gartner kind of definition is like
continuous threat exposure management.
So we usually kind of shorten it down.
You know, nobody wants to say so many words,
but they do have some, they do give more into what is exposure management.
So first of all, it is a continuous process
of identifying exposures,
but the whole idea of continuous threat exposure management
is not stopping there.
It's not only about identifying the exposure,
it's understanding the threat behind these exposures or the potential
threat behind these exposures.
And the idea that it's a process, identifying is not the only thing out there.
You need to also prioritize the different exposure, which is pretty much a very key
factor into the CTEMEM program the prioritization
of those
different
exposures
and then
once you
have prioritized
you know
you're going
to the
next phase
which is
validation
it's
actually
you know
understanding
that these
exposures
are indeed
the most
critical
one that
are the
most relevant
to the
threats
that
you know
you're
concerned
with
or that are more relevant to
you, you can validate is whether or not any security controls that you have deployed are
compensated control to an exposure.
That's really what the validation phase means.
It really puts that validation piece as a very key component because a lot of the security
around our environment
is based on security controls.
We invest a lot
into security control
and that's a key component
into exposure management.
Your efforts in the security controls
as part of your security
and exposure management
is just,
it's not always so easy,
but like how much
is your security controls,
you know, in average
really adding to your
security posture
or your security in general?
And the numbers are there.
The numbers show that a fine-tuned security control,
a well-deployed security control,
is a very large multiplier of your security.
So this entire process,
the idea is really to give the ability
for security teams to manage the whole process
of the real exposure in your environment,
in your company,
and therefore kind of creating that cycle,
that loop proactively.
And at the end, the goal is, of course,
to reduce risk in the most efficient and smart way that you can get out of.
And what does that look like?
I mean, for someone who engages with a company like yours or one of the many companies who provide this, how exactly does it work?
There were a lot of different approaches to implement exposure management.
Some of them took different paths
and we took, I think, a very unique path.
I believe that we've chose to kind of focus
on that validation stage.
And what we've also understood
is most exposure management platforms out there are more focusing on identifying the exposures.
But what we saw is there is a very big gap.
And the gap was that all of those companies, they identify exposures in their environment,
but they're not taking into account that they've already built a lot of different kind of defenses or compensating
controls, as I like to call them, around these exposures.
And if you don't take those compensating controls into account, then your whole prioritization
is off.
The last stage is mobilization, is actually to take action on those exposures.
That will be off as well.
And we're kind of going and still staying in the old generation, okay?
But we want to jump to the next generation.
We want to understand and provide context
of the full picture.
And what we've seen is that when you add
that layer of defenses that they have already built
around their environmental exposures,
everything is shuffled.
The entire prioritization changes, all of the program changes, have already built around their environmental exposures, everything is shuffled.
The entire prioritization changes,
all of the program changes, and then what I've seen in this market
and with the users
is that that reduces a lot of frustration.
When you want to manage your exposures,
take control of this process and really get the most
out of it. But in order to do that, you really need to see the whole picture.
I think that's what our approach comes with and that's why
we believe that the validation page is a very key factor
in this program. And I know you advocate
a multi-step approach here.
Can we go through that step-by-step
and describe why that's important?
The exposure management is like a multi-step program.
So the first step would be what we call scoping.
So that would be the first step of understanding
perimeter of you know of the exposure management like what do we want to see what are we concerned
what is the size of the team we need to take that into the account there is also a capacity that you
can actually meet then there is the discovery stage which we believe uh you know there are a
lot of different kind of exposure discovery products out there they believe there are a lot of different exposure discovery
products out there. They're all doing a great job.
We believe in integration, so we are
integrating with those products
to actually ingest
all of the different exposures.
The next one will be that validate stage,
which is
what we are very good at.
That's our mode.
And that's where that next layer of security defenses,
everybody has built, companies are spending millions of dollars
on different kind of preventive or detective security controls
that deploy stop threats and attacks.
And once you have that data and you actually simulate attacks
and validate which one of those actually
succeed or not, this can bring another layer into that equation.
The next one would be analyzing all of that data.
Once you analyze it, start correlating because there are a lot of relations between the security
controls that you have deployed, the actual exposures that exist in your environment,
maybe the threat landscape that changes all the time.
And then once you analyze all of that data,
you can create a very contextual exposure prioritization program
and really reduce a lot of back noise,
a lot of different noise, maybe things that
you don't need to handle because you have the right things in place.
Reduce that noise, focus on what matters most, and go to that next step, which is to actually
remediate.
You can even remediate in different ways.
You can fine-tune a security control.
You can patch a vulnerability,
upgrade a library.
There are different things you can do,
but once you take that very multi-step approach
and you contextualize it
and correlate between all of the different things,
you can even offer various remediation activities
because that's it.
It's not binary anymore.
It's all a multi-layer approach at that point.
Is AI playing a role in exposure management these days?
For sure, yeah.
So I would even say that's what I also believe that, you know,
AI is taking, I would say probably is taking roles in a lot of things,
but in exposure management, it can definitely help a lot.
So first thing, an AI is something
that really helps scoping.
It's not always so clear to everybody
what are the threats
that they should be more concerned of
or which are the areas
or what is the capacity that they can handle.
AI can be a really good helper in the scoping area,
which is like the first stage of the exposure management.
But not only that, AI can help with exposure management strategy.
It's very useful for creating a validation strategy
and a validation plan.
We use AI to generate attacks from building blocks.
So it's not like a full red teamer
creating new attacks from scratch, but he has a lot of building blocks that we have
built for him and he can start a mix and match between those building blocks to create a
very specific attack simulation.
What are your recommendations for folks who want to go down this path? is not to look at the exposure management cycle as like a very linear program,
like step one, step two, step three, step four, step five.
No, you can definitely start with step three if you want to
and then go back to two and one and to four and five
because that's a cycle, okay?
The idea is it's a continuous threat exposure.
It never ends.
You can definitely start with one of the stages
that you feel most comfortable in right now.
You can start somewhere and then, you know,
really from that point,
create the methodology and the program around it.
That's Avihai Ben-Yosef from Simulate.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, 404 Media and Wired explain the bizarre world of AI pimping.
On Instagram, AI-generated influencers are taking over, using the stolen videos and likenesses of real models and adult content creators.
Digital imposters slap AI-generated faces onto real human bodies,
creating eerily realistic content that's used to drive traffic to dating sites,
Patreon alternatives, and apps.
Known as AI influencers, they're created with off-the-shelf tools,
promoted with guides like AI Influence Accelerator, and monetized on platforms like Fanview and OnlyFans competitors. The scale
is staggering. Investigations uncovered over 1,000 AI-generated accounts, some explicitly
identifying as virtual models, while others deceive users by hiding their AI origins.
Creators like Chloe Johnson amassed large followings and posted deepfake videos
using stolen content from real creators, such as TikTok models and runway shows. These accounts
sell explicit content while pretending to be original creators, causing harm to the real
people whose likenesses they exploit. Real influencers like Elena St. James say
they're now competing with bots
that have flooded Instagram,
tanking their engagement metrics.
Reporting impersonators doesn't help.
Instagram often penalizes the whistleblowers instead.
St. James noted that creators already struggle
under Instagram's harsh moderation rules,
which disproportionately
affect adult content creators and make impersonation even harder to combat.
Critics argue Instagram benefits from this mess. The platform profits from engagement with these
accounts, whether real or bot-driven, by selling ads against the traffic. Without stricter controls,
experts warn, this AI-driven content explosion
could reshape social media, making authentic human influencers a shrinking minority.
Influencing used to be about personality. Now it's about having the best AI-generated
cheekbones money can buy.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged
that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in
the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment,
your people. We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.