No more spinach for PopeyeTools. - CyberWire Daily

Summary10 min read

CyberWire Daily Summary: "No More Spinach for PopeyeTools"
Release Date: November 21, 2024
Host: Dave Buettner | Powered by N2K Networks

1. Federal Takedown of PopeyeTools Cybercrime Marketplace

Overview:
The U.S. authorities have dismantled the notorious cybercrime marketplace, PopeyeTools, which had been operational since 2016. This platform was a hub for illicit activities, facilitating the sale of stolen financial and personal data, fraud tools, and cyberattack educational materials.

Key Details:

Seizure: Authorities confiscated $283,000 in cryptocurrency linked to PopeyeTools' operations and seized multiple domains, including PopeyeTools.com. Visitors to these domains now encounter law enforcement notices.
Revenue and Impact: The marketplace generated an estimated $1.7 million in revenue, compromising data from over 227,000 individuals. Products sold included payment card data, bank account details, phishing tools, and scam templates priced as low as $30 per card.
Refund Policies: To maintain customer loyalty, PopeyeTools even offered refund policies for its illicit products.
Legal Actions: Five individuals—four Americans and one British—have been charged in connection with corporate data breaches and SIM swap-enabled cryptocurrency thefts. Allegedly associated with the hacking group Scattered Spider (also known as Octo Tempest), these charges include wire fraud, conspiracy, and aggravated identity theft, carrying potential prison terms of up to 10 years. However, no arrests have been made to date.

Notable Quote:
“PopeyeTools served thousands of users worldwide, generating an estimated $1.7 million in revenue from stolen data belonging to over 227,000 individuals,” stated Dave Buettner at [05:45].

2. Corporate Breaches and SIM Swap Cryptocurrency Thefts by Scattered Spider

Overview:
Five individuals associated with the Scattered Spider hacking group have been charged for their roles in significant corporate data breaches and cryptocurrency thefts facilitated through SIM swap attacks.

Key Tactics:

Phishing Campaigns: Between 2021 and 2023, the group executed phishing schemes targeting companies like Caesars Entertainment and MGM Resorts by impersonating IT staff or sending fake password reset messages to employees.
SIM Swapping: These attacks allowed the hackers to gain control over victims' phone numbers and cryptocurrency wallets, resulting in the theft of millions in virtual currency.
Collaboration: The group often collaborated with the Black Cat Alpha ransomware gang to enhance their attack strategies.

Legal Proceedings:
The defendants face multiple charges, including wire fraud and conspiracy, with the potential for up to 10 years in prison. Despite the serious charges, arrests remain pending.

Notable Quote:
“These stolen credentials allowed access to sensitive corporate data, including personal and proprietary information,” Dave Buettner explained at [08:20].

3. Critical Vulnerabilities in VMware's VCenter Server

Overview:
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding two significant vulnerabilities in VMware's VCenter Server: a heap-based buffer overflow and a privilege escalation flaw.

Implications:

Attack Potential: Both vulnerabilities allow attackers with network access to execute remote code or gain root-level privileges, posing severe risks to virtualized environments.
Remediation: VMware has released updates and mitigations, with CISA setting a remediation deadline of December 11, 2024.
Advisory: Organizations are urged to promptly implement the updates to prevent potential security breaches, given the critical role of VCenter Server in managing infrastructure.

Notable Quote:
CISA has issued a critical alert about two vulnerabilities in VMware's VCenter server. Both vulnerabilities allow attackers with network access to execute remote code or gain root level privileges, Dave Buettner reported at [10:15].

4. Global AI Safety Conference and Policy Developments

Overview:
A global assembly of AI experts convened in San Francisco to address AI safety, focusing on combating deepfakes and fostering international collaboration. The conference highlighted differing perspectives on AI regulation between political factions.

Key Highlights:

Policy Stances:
- President Elect Donald Trump has pledged to repeal President Joe Biden's AI executive order, though specifics remain unclear. Despite criticism, Trump’s AI policies from his presidency emphasized trustworthy AI, indicating some strategic continuity.
- US Commerce Secretary Gina Raimondo emphasized that safety promotes innovation and global trust in AI, advocating for voluntary standards over stringent regulations. She stressed that AI safety transcends politics, aiming to prevent AI misuse while fostering responsible innovation globally.
Industry Support: The Biden administration's AI Safety Institute has garnered backing from tech giants like Amazon and Microsoft, promoting collaborative safety standards.

Notable Quote:
“Safety promotes innovation and global trust in AI,” stated Gina Raimondo at [12:50].

Conclusion:
Experts predict that AI safety initiatives will persist regardless of political shifts, underscoring the universal importance of mitigating AI-related risks.

5. MITRE Updates Top 25 Most Dangerous Software Weaknesses

Overview:
MITRE has refreshed its CWE Top 25 Most Dangerous Software Weaknesses list, reflecting current trends in software vulnerabilities.

Key Updates:

Top Vulnerabilities:
1. Cross Site Scripting (XSS)
2. Out of Bounds Write
3. SQL Injection
Rising Issues:
- Cross-Site Request Forgery (CSRF)
- Path Traversal
- Missing Authorization
New Additions:
- Exposure of sensitive information
- Uncontrolled resource consumption
Dropped Weaknesses:
- Incorrect default permissions
- Race conditions

Recommendations:
CISA and MITRE advise organizations to adopt secure-by-design practices and integrate the CWE Top 25 into their security processes to mitigate vulnerabilities and enhance resilience.

Notable Quote:
“Cross site scripting now tops the list, followed by out of bounds write and SQL injection vulnerabilities,” Dave Buettner noted at [14:30].

6. Evolving Tactics of the BNLAN Ransomware Group

Overview:
US and Australian cybersecurity agencies have issued warnings about the evolving tactics of the BNLAN ransomware group, active since 2022.

Current Tactics:

Shift in Extortion Methods: Transitioned from double extortion to solely exfiltration-based extortion, threatening to leak stolen data unless ransoms are paid.
Advanced Techniques:
- Exploiting public-facing applications
- Renaming binaries to evade detection
- Exfiltrating data via FTP, Rclone, and Mega
Target Areas: US critical infrastructure and Australian private enterprises, with recent attacks leveraging ProxyShell exploits and ngrok for command and control.

Mitigation Strategies:
Agencies recommend auditing remote access tools, restricting RDP usage, limiting PowerShell access, and implementing application controls to mitigate risks.

Notable Quote:
“BNL's targets include US critical infrastructure and Australian private enterprises,” Dave Buettner explained at [16:45].

7. Rising Cyber Threats to the US Manufacturing Industry

Overview:
The US manufacturing sector, crucial to the economy, is experiencing a surge in cyber threats as it modernizes operations. A report by Abnormal Security highlights significant increases in ransomware, advanced email attacks, and phishing incidents.

Key Findings:

Phishing Incidents: Increased by 83% between September 2023 and September 2024.
Business Email Compromise (BEC): Grew by 56%, with Vendor Email Compromise attacks up 24%.
High-Profile Attacks:
- Clorox suffered a $356 million loss from a ransomware incident.
- Orion experienced $60 million in stolen and fraudulent transfers.
AI-Driven Threats: Attackers are utilizing AI to craft convincing emails that bypass traditional defenses, increasing the sophistication of phishing and BEC attacks.

Recommendations:
Experts advocate for adopting AI-driven email security solutions to detect anomalies and block advanced threats, thereby safeguarding manufacturing operations and supply chains.

Notable Quote:
“A fine-tuned security control is a very large multiplier of your security,” said Avihai Ben Yosef during the interview at [20:16].

8. Discovery of Wolfsbane Linux Backdoor and Malicious Python Packages

Wolfsbane Linux Backdoor:
Researchers at ESET have uncovered Wolfsbane, a Linux backdoor attributed to the Gelsemium APT group. This marks their first known use of Linux malware, designed for cyber espionage by targeting sensitive data, maintaining persistence, and evading detection. Features include custom libraries for stealthy network communication and sophisticated command execution. Additionally, Firewood, another Linux backdoor, was found with potential ties to Gelsemium, indicating a strategic shift towards targeting Linux systems as defenses on Windows platforms strengthen.

Malicious Python Packages:
Two malicious Python packages impersonating tools for interacting with ChatGPT and Claude were discovered on PyPy, remaining undetected for over a year. These packages mimicked legitimate libraries while embedding scripts to exfiltrate sensitive data, including API keys and credentials. This incident underscores the vulnerabilities within open-source ecosystems and the challenges in securing repositories like PyPi.

Recommendations:
Developers are urged to audit dependencies, verify package authenticity, and adopt best practices to protect against such threats.

Notable Quote:
“Two malicious Python packages impersonating tools for interacting with ChatGPT and Claude were discovered on PyPy, remaining undetected for over a year,” reported Dave Buettner at [18:50].

9. Data Breach at French Hospital Compromises 750,000 Patients

Overview:
A significant data breach at a French hospital has compromised the medical records of 750,000 patients. The breach exposed sensitive details, including names, birth dates, addresses, and medical histories.

Details:

Attack Vector: The attacker, known as NIRS, accessed over 1.5 million patient records across multiple French hospitals via a compromised Metaboard account.
Cause: Softway Medical Group, the provider of Metaboard software, clarified that the breach resulted from stolen credentials, not software vulnerabilities.
Exploitation: The attacker is selling access to Metaboard accounts for several hospitals, including sensitive healthcare and billing information, as well as patient record modification capabilities.
Risks: Although the exposed data hasn't been sold yet, there's a significant risk of it being leaked online, increasing susceptibility to phishing and social engineering attacks.
Affected Entities: The breach primarily impacted hospitals within Aleo Sante, indicating a breach of a single privileged account leading to widespread access.
Methodology: The attacker exploited standard software functionality rather than implementation errors.

Notable Quote:
“The attacker is selling access to Metaboard accounts for several hospitals, including sensitive healthcare and billing information and patient record modification capabilities,” Dave Buettner highlighted at [19:50].

10. Industry Voices: The Evolution of Exposure Management with Avihai Ben Yosef

Guest:
Avihai Ben Yosef, Co-Founder and CTO at Simulate, discusses the evolution and outlook of exposure management and the impact of AI in this domain.

Key Insights:

Continuous Threat Exposure Management (CTEM): Emphasizes not just identifying exposures but also understanding the threats behind them and prioritizing based on potential impact.
Validation Phase: Simulate focuses on validating exposures by simulating attacks, thereby assessing the effectiveness of existing security controls.
Multi-Step Approach:
1. Scoping: Defining the perimeter and objectives of exposure management.
2. Discovery: Integrating with various exposure discovery tools to ingest data.
3. Validation: Simulating attacks to validate exposures against existing security controls.
4. Analysis: Correlating data to prioritize exposures contextually.
5. Remediation: Implementing corrective actions based on prioritized exposures.
Role of AI: AI assists in scoping, strategy development, and creating tailored attack simulations by mixing and matching attack building blocks.

Notable Quotes:

“The goal is to reduce risk in the most efficient and smart way that you can get out of,” Avihai Ben Yosef stated at [17:33].
“We choose to focus on the validation stage, addressing the gap where other platforms overlook existing defenses,” he added at [20:28].

Recommendations:
Organizations should view exposure management as a continuous, cyclical process rather than a linear one, allowing flexibility in addressing various stages based on current needs and capacities.

11. AI-Driven AI Pimping on Instagram

Overview:
Investigative reports by 404 Media and Wired reveal the emergence of AI pimping on Instagram, where AI-generated influencers are proliferating by exploiting the likenesses of real models and adult content creators.

Key Highlights:

AI Influencers: Created using off-the-shelf tools, these digital imposters overlay AI-generated faces onto real human bodies, producing realistic content that drives traffic to dating sites, Patreon alternatives, and similar platforms.
Scale and Impact: Over 1,000 AI-generated accounts have been identified, some explicitly posing as virtual models while others conceal their AI origins. These accounts amass large followings and post deepfake videos using stolen content from real creators.
Economic Exploitation: Platforms like Fanview and OnlyFans competitors monetize these AI influencers by selling explicit content under the guise of original creators.
Challenges for Real Influencers: Authentic influencers, such as Elena St. James, report dwindling engagement metrics due to the influx of AI-generated bots, with reporting these impersonators proving ineffective as Instagram often penalizes whistleblowers.
Platform Responsibility: Critics argue that Instagram benefits from the increased engagement driven by both real and bot accounts, yet lacks stringent controls to mitigate the issue.
Future Implications: The rise of AI-driven content threatens to overshadow authentic human influencers, shifting the landscape of social media influence from personality-driven to appearance-centric AI models.

Notable Quote:
“Influencing used to be about personality. Now it's about having the best AI-generated cheekbones money can buy,” highlighted Dave Buettner at [29:50].

Conclusion

This episode of CyberWire Daily delved into significant cybersecurity developments, from dismantling major cybercrime marketplaces to the evolving tactics of ransomware groups and the rising threats within critical industries like manufacturing and healthcare. The in-depth interview with Avihai Ben Yosef provided valuable insights into the future of exposure management, emphasizing the crucial role of AI in enhancing security measures. Additionally, the discussion on AI pimping on Instagram highlighted emerging challenges in the realm of social media security and authenticity. Staying informed and proactive remains paramount in navigating the complex cybersecurity landscape.

For more detailed insights and updates, visit The CyberWire.

Loading summary

Transcript11 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row. All of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBERTEN to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBER10. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services llc. The Feds take down the Popeye Tools cybercrime market Five alleged scattered SPIDER members have been charged sys awards of critical vulnerabilities in VMware's VCenter server. Global AI experts convene to discuss safety. MITRE updates its list of top 25 most dangerous software weaknesses. US and Australian agencies warn critical infrastructure organizations about evolving tactics by the Bnlan ransomware group. A new report looks at rising threats to the US manufacturing industry. Researchers at ESET uncover the Wolfsbane Linux backdoor. A pair of malicious python packages impersonating ChatGPT went undetected for over a year. A data breach at a French hospital compromises the medical records of 750,000 patients. On our Industry Voices segment, our guest, Avihai Ben Yosef Simulates, co founder and cto, joins us to discuss the evolution and outlook of exposure management and AI pimping is the scourge of Instagram. It's Thursday, November 21st, 2024. I'm Dave Buettner and this is your Cyberwire intel briefing. The U.S. has shut down the cybercrime marketplace Popeye tools and unsealed charges against its administrators Abdul Ghaffar, Abdul Same and Javed Mirza. The platform, active since 2016, facilitated cybercrimes by selling stolen financial and personal data, tools for fraud and educational materials on Cyberattacks. Authorities seized $283,000 in cryptocurrency tied to illicit operations and multiple domains, including Popeye Tools.com Popeye Tools served thousands of users worldwide, generating an estimated $1.7 million in revenue from stolen data belonging to over 227,000 individuals. Its offerings included payment card data, bank account details, phishing tools and scam templates priced as low as $30 per card. The platform even provided refund policies to maintain customer loyalty. The administrators, based in Pakistan and Afghanistan, face charges carrying up to 10 years in prison, though no arrests have been made. Visitors to the seized domains now see a law enforcement notice. Five individuals, four Americans and one British have been charged for their role in corporate data breaches and SIM swap enabled cryptocurrency thefts. Allegedly part of the hacking group Scattered Spider, also known as Octo Tempest, the group targeted companies like Caesars Entertainment and MGM Resorts, often collaborating with the Black Cat Alpha ransomware gang. From 2021 to 2023, they conducted phishing campaigns, tricking employees into revealing credentials by impersonating IT staff or sending fake password reset messages. These stolen credentials allowed access to sensitive corporate data, including personal and proprietary information. The group also carried out SIM swap attacks to gain control of victims phone numbers and cryptocurrency wallets, stealing millions in virtual currency. The defendants faced charges including wire fraud, conspiracy, aggravated identity theft and other crimes. CISA has issued a critical alert about two vulnerabilities in VMware's VCenter server. The first is a heap based buffer overflow and the second is a privilege escalation flaw. Both vulnerabilities allow attackers with network access to execute remote code or gain root level privileges, posing severe risks to virtualized environments. VMware has released updates and mitigations with a remediation deadline from CISA of December 11th of this year. Organizations are urged to act promptly to avoid significant security breaches, given VCenter Server's critical role in managing infrastructure. President Elect Donald Trump has vowed to repeal President Joe Biden's AI executive order. Those specifics remain unclear. Meanwhile, global experts convened in San Francisco this week to discuss AI safety, focusing on combating deepfakes and fostering international collaboration. US Commerce Secretary Gina Raimondo emphasized that safety promotes innovation and global trust in AI. The Biden administration's AI Safety Institute has gained support from tech giants like Amazon and Microsoft, advocating voluntary standards over regulation. While Trump criticizes Biden's approach, his AI policies during his presidency also prioritize trustworthy AI, indicating some continuity in strategy. Experts believe AI safety efforts will likely persist regardless of leadership changes. Raimondo stressed that AI safety transcends politics, underscoring the importance of preventing AI misuse by malicious actors while fostering responsible innovation globally. MITRE has updated ITS CWE Top 25 Most Dangerous Software Weaknesses list, highlighting trends in software vulnerabilities. Cross site scripting now tops the list, followed by out of bounds write and SQL injection vulnerabilities. Other issues like CSRF path traversal and missing authorization rose in ranking, while flaws like incorrect default permissions and race conditions dropped off. New entries include exposure of sensitive information and uncontrolled resource consumption. CISA and MITRE urge organizations to adopt secure by design practices and integrate the CWE Top 25 into security processes to reduce vulnerabilities and enhance resilience. US and Australian agencies have warned critical infrastructure organizations about evolving tactics by the BNLAN ransomware group, active since 2022. BNL has shifted from double extortion tactics to solely exfiltration based extortion, threatening to leak stolen data if ransoms aren't paid. The group, likely based in Russia, uses advanced techniques for initial access, persistence and defense evasion, including exploiting public facing applications, renaming binaries to evade detection and exfiltrating data via FTP, Rclone and Mega. BNL's targets include US critical infrastructure and Australian private enterprises, with recent attacks leveraging proxy shell exploits and ngrok for command and control. The FBI, CISA and Australian Cybersecurity center recommend measures like auditing remote access tools, restricting RDP use, limiting PowerShell access and implementing application controls to mitigate risks. Organizations are urged to act swiftly to prevent breaches and data theft. The US Manufacturing industry, vital to the economy, faces rising cyber threats as it modernizes operations. A report from Abnormal Security notes that ransomware and advanced email attacks have surged, with phishing incidents increasing by 83% and business email compromise attacks growing 56% between September of 2023 and 2024. BEC schemes often exploit urgency to deceive employees, while vendor email Compromise attacks, up 24%, trick victims into paying fraudulent invoices. High profile attacks such as Clorox's $356 million loss from a ransomware incident and Orion's $60 million stolen and fraudulent transfers highlight the financial and operational risks attackers increasingly leverage. AI to craft convincing emails bypassing traditional defenses, experts recommend adopting AI driven email security solutions to detect anomalies and block advanced threats, safeguarding manufacturers operations and supply chains against costly disruptions. Researchers at ESET uncovered wolfsbane, a Linux backdoor attributed to the Gelsemium APT group, marking their first known Linux malware use. Wolfsbane, a counterpart to Galsemium's Windows based Galsivirine malware, is designed for cyber espionage, targeting sensitive data, maintaining persistence and evading detection. Its advanced features include custom libraries for stealthy network communication and sophisticated command execution. Alongside Wolfsbane, researchers found Firewood, another Linux backdoor with possible ties to Galsemium. This highlights a growing apt focus on Linux systems as attackers adapt to improved Windows defenses and the rise of Linux based infrastructures. Organizations must strengthen cross platform security strategies to counter these evolving threats. Two malicious Python packages impersonating tools for interacting with ChatGPT and Claude were discovered on PyPy, remaining undetected for over a year. Targeting developers eager to integrate AI tools, the packages mimicked legitimate libraries while embedding scripts to exfiltrate sensitive data including API keys and credentials. This incident highlights the risks in open source ecosystems and the challenges of securing repositories like PyPi. Developers are urged to audit dependencies, verify package authenticity and adopt best practices to protect against these sorts of threats. A data breach at a French hospital compromised the medical records of 750,000 patients, exposing sensitive details like names, birth dates, addresses and medical histories. The attacker, known as NIRS, claimed access to over 1.5 million patient records across multiple French hospitals through a compromised metaboard account. Softway Medical Group, the provider of Metaboard software, clarified that the breach resulted from stolen credentials, not software vulnerabilities. The attacker is selling access to metaboard accounts for several hospitals, including sensitive healthcare and billing information and patient record modification capabilities. While the exposed data hasn't been sold yet, it could be leaked online, increasing risks of phishing and social engineering. The affected hospitals belong to Aleo Sante, suggesting a single privileged account breach led to widespread access. Software emphasized the ATTCK exploited standard software functionality, not errors in implementation. Coming up after the break, my conversation with Abhihai Ben Yosef from Simulate. We're discussing the evolution and outlook of exposure management and AI pimping is the scourge of Instagram. Stay with us. And now a word from our sponsor, knowbefore it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your Security Stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing Security Stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and Counting Security Coach analyzes your Security Stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBe4 for sponsoring our show. Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. Get this more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000. Abhihai Ben Yousef is the co founder and CTO at Simulate. In today's sponsored Industry Voices segment, we discuss the evolution and outlook of exposure management. So today we're talking about exposure management. The evolution and outlook when it comes to that. How do you describe what exactly exposure management is?
[17:33]
Avihai Ben Yosef
Well, I would like to even start with kind of even expanding on those two words which is I think like even the Gartner kind of definition is like continuous threat exposure management. So we usually kind of shorten it down. You know, nobody want to say so many words, but they do have some. They do give more into what is exposure matter. So first of all it is a continuous process of identifying exposures. But the whole idea of continuous threat exposure management is not stopping there. It's not only about identifying the exposure. It's, you know, it's understanding the threat behind these exposures or the positive, the potential threat behind these exposures. And the idea that it's a process, you know, identifying is not the only thing out there. You need to also, you know, prioritize the different exposure, which is pretty much a very key factor into like the CTEM program, the prioritization of those different exposures. And then once you have prioritized, you know, you're going to the next phase, which is validation. It's actually, you know, understanding that these exposures are indeed the most critical one that are the most relevant to the threats that, you know, you are concerned with or that are more relevant to you. You can validate is whether or not any security controls that you have deployed are compensated control to an exposure. That's really what the validation phase mean. It really puts that validation piece as a very key component. Because a lot of the security around our environment is based on security controls. We invest a lot into security control and that's a key component into exposure management. Your efforts in the security controls as part of your security and exposure management, it's just, it's not always so easy. But like, how much is your security controls, you know, in average, really adding to your security posture or your, or your security in general? And the numbers are there. The numbers show that, you know, a fine tuned security control, you know, a well deployed security control is a very large multiplier of your security. So this entire process, the idea is it's really to give the ability for security teams to manage the whole process of the real exposure in your environment, in your company, and therefore kind of, you know, creating that cycle, that loop proactively. And you know, at the end, the goal is of course to reduce risk in the most efficient and smart way that you can get out of.
[20:17]
Dave Buettner
And what does that look like? I mean, for someone who engages with a company like yours or one of the many companies who provide this, how exactly does it work?
[20:29]
Avihai Ben Yosef
There were a lot of different approaches to like implement exposure management. You know, some of them took different paths and we took, I think, a very unique path. I believe that we've chose to kind of focus on that validation stage. And what we've also understood that most exposure management platforms out there are more focusing on identifying the exposures. But what we saw is there is a very big gap. And the gap was that all of those companies, they identify exposures in their environment, but they're not taking into account that they've already built a lot of different kind of defenses or compensating controls, as I like to call them, around these exposures. And if you don't take those compensating control into account, then your whole prioritization is off. Your whole like the last stage is mobilization is actually no. To take action on those exposures. That will be off as well. And you kind of going and still staying in the old generation. Okay, but we want to jump to the next generation, want to understand and provide context of the full picture. And what we've seen is that when you add that layer of defenses that they have already built around their environmental exposures, everything is shuffled, you know, the entire prioritization changes, all of the program changes. And then what I've seen, you know, in this market and with the users is that that reduces a lot of frustration when you want to manage your exposures, take control of this process and really get the most out of it. But in order to do that, you really need to see the whole picture. And I think that's what our approach comes with. And that's why we believe that the validation stage is like a very key factor in this program.
[22:28]
Dave Buettner
And I know you advocate a multi step approach here. Can we go through that step by step and, and describe why that's important?
[22:38]
Avihai Ben Yosef
The exposure management is like a multi step program. So the first step would be what they call, we call scoping. So probably the first step of understanding perimeter of the exposure management, like what do we want to see? What are we concerned? What is the size of the team? We need to take that into the account. There is also a capacity that you can actually meet. Then there is the discovery stage, which we believe there are a lot of different kind of exposure discovery products out there. They're all doing a great job. We believe in integration. So we are integrating with those products in order to actually ingest all of the different exposures. The next one would be that validate stage, which is what we are very good at. That's our, you know, that's our mode. And that's where, you know, that next layer of security defenses everybody has built. You know, companies are spending millions of dollars on different kind of preventive or you know, detective security controls that they deploy, you know, stop threats and attacks. And once you have that data and you know, you actually simulate attacks and validate which one of those actually succeed or not. This can bring another layer into that equation. The next one would be analyzing all of that data. So once you analyze it, start correlating because there are a lot of relations between the security controls that you have deployed the actual exposures that exist in your environment, maybe you know, the threat landscape that changes all the time. And then once you analyze all of that data, you can create a very contextual exposure, you know, prioritization program and really, you know, reduce a lot of like back noise, a lot of different noise, maybe things that you don't need to handle because you have the right things in place, reduce that noise, focus on what matters most and take then and go to that next step which is to actually remediate. You can even remediate in different ways. You can, you know, fine tune a security control, you can, you know, patch of vulnerability, upgrade the library. There's different things you can do. But once you take that very, you know, multi step approach and you contextualize it and correlate between all of the different things, you can even offer various remediation activities because that's it, it's not binary anymore, it's all on, you know, it's all a multi layer approach at that point.
[25:14]
Dave Buettner
Is AI playing a role in exposure management these days?
[25:18]
Avihai Ben Yosef
For sure, yeah. So I would even say that's what I also believe that you know, AI is taking, I would say probably is taking roles in a lot of things but in exposure management can definitely help a lot. So first thing, an AI is something that really helps coping. You know, it's not always so clear to everybody, you know, what are the threats that they should be more concerned of or which are the areas or like how many, what is the capacity that they can handle? Like AI can be a really good helper in the scoping area which is like the first stage of the exposure management. But not only that, AI can help with, you know, with exposure management strategy. It's very useful for creating a validation strategy and a validation plan. We use AI to generate attacks from building blocks. So it's not like a, you know, a full red team or creating new attacks from scratch. But he has like a lot of building blocks that we have built for him and he can start, mix and match between those building blocks to create like a very specific attack simulation.
[26:27]
Dave Buettner
What are your recommendations for folks who want to go down this path?
[26:32]
Avihai Ben Yosef
It might be like a new concept, but it's still based on concept that they're already familiar with. So first of all, of course I believe that you need to jump into the water and not there's nothing to be scared of, it's things that you're already doing. But my recommendation is not to look at the exposure management cycle as like a very linear program like one, you know, step one, step two, step three, step four, step five. No, you can definitely start with step three if you want to, and then go back to two and one and to four and five because that's a cycle. Okay. It's the idea is it's a continuous threat exposure. It never ends. You can definitely start with one of the stages that you feel most comfortable in right now. You can start somewhere and then, you know, really from that point, create the methodology and the program around it.
[27:24]
Dave Buettner
That's Abihai Ben Yosef from Simulate. And now a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN, designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that. And finally, 404 Media and Wired explain the bizar world of AI pimping on Instagram. AI generated influencers are taking over using the stolen videos and likenesses of real models and adult content creators. These digital imposters slap AI generated faces onto real human bodies, creating eerily realistic content that's used to drive traffic to dating sites, Patreon alternatives and apps. Known as AI influencers, they're created with off the shelf tools, promoted with guides like AI Influence Accelerator and monetized on platforms like Fanview and OnlyFans competitors. The scale is staggering. Investigations uncovered over 1000 AI generated accounts, some explicitly identifying as virtual models, while others deceive users by hiding their AI origins. Creators like Chloe Johnson amassed large followings and posted deep fake videos using stolen content from real creators such as TikTok models and Runway shows. These accounts sell explicit content while pretending to be original creators, causing harm to the real people whose likenesses they exploit. Real influencers like Elena St. James say they're now competing with bots that have flooded Instagram, tanking their engagement metrics. Reporting impersonators doesn't help. Instagram often penalizes the whistleblowers. Instead, St. James noted that creators already struggle under Instagram's harsh moderation rules, which disproportionately affect adult content creators and make impersonation even harder to combat. Critics argue Instagram benefits from this mess. The platform profits from engagement with these accounts, whether real or bot, driven by selling ads against the traffic without stricter controls. Experts warn this AI driven content explosion could reshape social media, making authentic human influencers a shrinking minority. Influencing used to be about personality. Now it's about having the best AI generated cheekbones money can buy. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwiren2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your teams smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our Executive editor is Brandon Karpf. Simone Trella is our president, Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business. Everywhere you do business.