No more spinach for PopeyeTools.
The feds take down the PopeyeTools cybercrime market. Five alleged Scattered Spider members have been charged. CISA warns of critical vulnerabilities in VMware’s vCenter Server. Global AI experts convene to discuss safety. MITRE updates its list of Top 25 Most Dangerous Software Weaknesses. US and Australian agencies warn critical infrastructure organizations about evolving tactics by the BianLian ransomware group. A new report looks at rising threats to the U.S. manufacturing industry. Researchers at ESET uncover the WolfsBane Linux backdoor. A pair of malicious Python packages impersonating ChatGPT went undetected for over a year. A data breach at a French hospital compromised the medical records of 750,000 patients. On our Industry Voices segment, guest Avihai Ben-Yossef, Cymulate’s Co-Founder and CTO, joins us to discuss "The Evolution and Outlook of Exposure Management." AI Pimping is the scourge of Instagram.
Today is Thursday November 21st 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The feds take down the PopeyeTools cybercrime market.
The U.S. has shut down the cybercrime marketplace PopeyeTools and unsealed charges against its administrators—Abdul Ghaffar, Abdul Sami, and Javed Mirza. The platform, active since 2016, facilitated cybercrimes by selling stolen financial and personal data, tools for fraud, and educational materials on cyberattacks. Authorities seized $283,000 in cryptocurrency tied to illicit operations and multiple domains, including PopeyeTools.com.
PopeyeTools served thousands of users worldwide, generating an estimated $1.7 million in revenue from stolen data belonging to over 227,000 individuals. Its offerings included payment card data, bank account details, phishing tools, and scam templates, priced as low as $30 per card. The platform even provided refund policies to maintain customer loyalty.
The administrators, based in Pakistan and Afghanistan, face charges carrying up to 10 years in prison, though no arrests have been made. Visitors to the seized domains now see a law enforcement notice.
Five alleged Scattered Spider members have been charged.
Five individuals—four Americans and one Brit—have been charged for their role in corporate data breaches and SIM swap-enabled cryptocurrency thefts. Allegedly part of the hacking group Scattered Spider (aka Octo Tempest), the group targeted companies like Caesars Entertainment and MGM Resorts, often collaborating with the Black Cat/ALPHV ransomware gang.
From 2021 to 2023, they conducted phishing campaigns (smishing), tricking employees into revealing credentials by impersonating IT staff or sending fake password reset messages. These stolen credentials allowed access to sensitive corporate data, including personal and proprietary information. The group also carried out SIM swap attacks to gain control of victims’ phone numbers and cryptocurrency wallets, stealing millions in virtual currency.
The defendants face charges including wire fraud conspiracy, aggravated identity theft, and other crimes.
CISA warns of critical vulnerabilities in VMware’s vCenter Server.
CISA has issued a critical alert about two vulnerabilities in VMware’s vCenter Server: CVE-2024-38812, a heap-based buffer overflow, and CVE-2024-38813, a privilege escalation flaw. Both vulnerabilities allow attackers with network access to execute remote code or gain root-level privileges, posing severe risks to virtualized environments. VMware has released updates and mitigations, with a remediation deadline of December 11, 2024. Organizations are urged to act promptly to avoid significant security breaches, given vCenter Server’s critical role in managing infrastructure.
Global AI experts convene to discuss safety.
President-elect Donald Trump has vowed to repeal President Joe Biden’s AI executive order, though specifics remain unclear. Meanwhile, global experts convened in San Francisco this week to discuss AI safety, focusing on combating deepfakes and fostering international collaboration. U.S. Commerce Secretary Gina Raimondo emphasized that safety promotes innovation and global trust in AI. The Biden administration’s AI Safety Institute has gained support from tech giants like Amazon and Microsoft, advocating voluntary standards over regulation.
While Trump criticizes Biden’s approach, his AI policies during his presidency also prioritized “trustworthy” AI, indicating some continuity in strategy. Experts believe AI safety efforts will likely persist regardless of leadership changes. Raimondo stressed that AI safety transcends politics, underscoring the importance of preventing AI misuse by malicious actors while fostering responsible innovation globally.
MITRE updates its list of Top 25 Most Dangerous Software Weaknesses.
MITRE has updated its CWE Top 25 Most Dangerous Software Weaknesses list, highlighting trends in software vulnerabilities. Cross-site scripting (XSS) now tops the list, followed by out-of-bounds write and SQL injection vulnerabilities. Other issues like CSRF, path traversal, and missing authorization rose in ranking, while flaws like incorrect default permissions and race conditions dropped off. New entries include exposure of sensitive information and uncontrolled resource consumption. CISA and MITRE urge organizations to adopt Secure by Design practices and integrate the CWE Top 25 into security processes to reduce vulnerabilities and enhance resilience.
US and Australian agencies warn critical infrastructure organizations about evolving tactics by the BianLian ransomware group.
US and Australian agencies have warned critical infrastructure organizations about evolving tactics by the BianLian ransomware group. Active since 2022, BianLian has shifted from double-extortion tactics to solely exfiltration-based extortion, threatening to leak stolen data if ransoms aren’t paid. The group, likely based in Russia, uses advanced techniques for initial access, persistence, and defense evasion, including exploiting public-facing applications, renaming binaries to evade detection, and exfiltrating data via FTP, Rclone, and Mega.
BianLian’s targets include U.S. critical infrastructure and Australian private enterprises, with recent attacks leveraging ProxyShell exploits and Ngrok for command and control. The FBI, CISA, and Australian Cyber Security Centre recommend measures like auditing remote access tools, restricting RDP use, limiting PowerShell access, and implementing application controls to mitigate risks. Organizations are urged to act swiftly to prevent breaches and data theft.
A new report looks at rising threats to the U.S. manufacturing industry.
The U.S. manufacturing industry, vital to the economy, faces rising cyber threats as it modernizes operations. A report from Abnormal Security notes that ransomware and advanced email attacks have surged, with phishing incidents increasing by 83% and business email compromise (BEC) attacks growing 56% between September 2023 and 2024. BEC schemes often exploit urgency to deceive employees, while vendor email compromise (VEC) attacks, up 24%, trick victims into paying fraudulent invoices.
High-profile attacks, such as Clorox’s $356 million loss from a ransomware incident and Orion’s $60 million stolen in fraudulent transfers, highlight the financial and operational risks. Attackers increasingly leverage AI to craft convincing emails, bypassing traditional defenses. Experts recommend adopting AI-driven email security solutions to detect anomalies and block advanced threats, safeguarding manufacturers’ operations and supply chains against costly disruptions.
Researchers at ESET uncover the WolfsBane Linux backdoor.
Researchers at ESET uncovered WolfsBane, a Linux backdoor attributed to the Gelsemium APT group, marking their first known Linux malware use. WolfsBane, a counterpart to Gelsemium’s Windows-based Gelsevirine malware, is designed for cyberespionage, targeting sensitive data, maintaining persistence, and evading detection. Its advanced features include custom libraries for stealthy network communication and sophisticated command execution.
Alongside WolfsBane, researchers found FireWood, another Linux backdoor with possible ties to Gelsemium. This highlights a growing APT focus on Linux systems as attackers adapt to improved Windows defenses and the rise of Linux-based infrastructures. Organizations must strengthen cross-platform security strategies to counter these evolving threats.
A pair of malicious Python packages impersonating ChatGPT went undetected for over a year.
Two malicious Python packages impersonating tools for interacting with ChatGPT and Claude were discovered on PyPI, remaining undetected for over a year. Targeting developers eager to integrate AI tools, the packages mimicked legitimate libraries while embedding scripts to exfiltrate sensitive data, including API keys and credentials. This incident highlights the risks in open-source ecosystems and the challenges of securing repositories like PyPI. Developers are urged to audit dependencies, verify package authenticity, and adopt best practices to protect against such threats.
A data breach at a French hospital compromised the medical records of 750,000 patients.
A data breach at a French hospital compromised the medical records of 750,000 patients, exposing sensitive details like names, birthdates, addresses, and medical histories. The attacker, known as ‘nears,’ claimed access to over 1.5 million patient records across multiple French hospitals through a compromised MediBoard account. Softway Medical Group, the provider of MediBoard software, clarified that the breach resulted from stolen credentials, not software vulnerabilities.
The attacker is selling access to MediBoard accounts for several hospitals, including sensitive healthcare and billing information, and patient record modification capabilities. While the exposed data hasn’t been sold yet, it could be leaked online, increasing risks of phishing and social engineering. The affected hospitals belong to Aléo Santé, suggesting a single privileged account breach led to widespread access. Softway emphasized the attack exploited standard software functionality, not errors in implementation.
We’ve got our Industry Voices segment next. Cymulate’s Co-Founder and CTO Avihai Ben-Yossef joins us to discuss "The Evolution and Outlook of Exposure Management." After that, hear about new developments in the booming AI Pimping industry.
We’ll be right back.
Welcome back.
AI Pimping is the scourge of Instagram.
And finally, 404 Media and Wired explain the bizarre world of AI pimping. On Instagram, AI-generated influencers are taking over, using the stolen videos and likenesses of real models and adult content creators. These digital imposters slap AI-generated faces onto human bodies, creating eerily realistic content that’s used to drive traffic to dating sites, Patreon alternatives, and apps. Known as “AI influencers,” they’re created with off-the-shelf tools, promoted with guides like AI Influencer Accelerator, and monetized on platforms like Fanvue and OnlyFans competitors.
The scale is staggering. Investigations uncovered over 1,000 AI-generated accounts, some explicitly identifying as “virtual models,” while others deceive users by hiding their AI origins. Creators like “Chloe Johnson” amassed large followings and posted deepfake videos using stolen content from real creators such as TikTok models and runway shows. These accounts sell explicit content while pretending to be original creators, causing harm to the real people whose likenesses they exploit.
Real influencers like Elaina St. James say they’re now competing with bots that have flooded Instagram, tanking their engagement metrics. Reporting impersonators doesn’t help; Instagram often penalizes the whistleblowers instead. St. James noted that creators already struggle under Instagram’s harsh moderation rules, which disproportionately affect adult content creators and make impersonation even harder to combat.
Critics argue Instagram benefits from this mess. The platform profits from engagement with these accounts, whether real or bot-driven, by selling ads against the traffic. Without stricter controls, experts warn this AI-driven content explosion could reshape social media, making authentic human influencers a shrinking minority.
Influencing used to be about personality. Now it’s about having the best AI-generated cheekbones money can buy.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.