CyberWire Daily - W3LL runs dry.
Episode Date: April 13, 2026The FBI disrupts a multi-million-dollar phishing ring. A North Korea-linked supply chain attack hits OpenAI. Developers face a Slack phishing campaign. A critical Python notebook flaw is exploited in ...hours. ShinyHunters target Rockstar Games. A Japanese shipping firm reports a breach. Tracking the cybersecurity winners and losers in Trump’s 2027 budget, plus a claimed cyberattack on UAE infrastructure. Business breakdown. Our guest is Justin Kohler, Chief Product Officer at SpecterOps, discussing Identity Attack Path Management. Crackdowns at home push scam networks abroad. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s Industry Voices, we are joined by Justin Kohler, Chief Product Officer at SpecterOps, discussing Identity Attack Path Management. If you enjoyed this conversation, tune into the full interview here. Selected Reading FBI Dismantles $20m Phishing Operation W3LL (Infosecurity Magazine) The cyber winners and losers in Trump’s 2027 budget (CSO Online) Handala carries out unprecedented cyberattack against critical UAE Infrastructure (PressTV) OpenSSF Flags Malware Campaign on Slack Posing as Linux Foundation Figures (HackRead) OpenAI Impacted by North Korea-Linked Axios Supply Chain Hack (SecurityWeek) Critical Marimo pre-auth RCE flaw now under active exploitation (Bleeping Computer) GTA-maker Rockstar Games hacked again but downplays impact (BBC) NYK alerts on data breach in bunker fuel procurement system (Manifold Times) Business Briefing for 04.08.26 (The CyberWire) China Is Cracking Down on Scams. Just Not the Ones Hitting Americans (WIRED) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Today's sponsor, Rapid 7, has an irresistible invitation for you SISOs and security practitioners out there.
A free two-day virtual summit, the subject, preemptive security.
Join the Global Cybersecurity Summit on May 12th and 13th from wherever you like.
A-list speakers will show you how organizations are disrupting attacks before they can blow towards.
your day. You'll see how
exposure management, MDR,
and AI together let you
make the decisive move.
Registration is open at
rapid7.brighttalk.com.
The FBI
disrupts a multi-million dollar
fishing ring. A North Korea-linked
supply chain attack hits open AI.
Developers face a slack
fishing campaign. A critical
Python notebook flaws exploited
in hours. Shiny hunters
target rock star games.
A Japanese shipping firm reports a breach.
Tracking the cybersecurity winners and losers in Trump's 2027 budget,
plus a claimed cyber attack on UAE infrastructure.
We've got our Monday business breakdown.
Our guest is Justin Kohler, chief product officer at Spectorops,
discussing identity attack path management.
And crackdowns at home push scam networks abroad.
It's Monday, April 13, 26.
I'm Dave Bittner, and this is your cybernet.
Wire Intel Briefing.
Thanks for joining us here today.
It's great as always to have you with us.
Happy Monday.
U.S. and Indonesian law enforcement have dismantled Well,
a fishing operation linked to more than $20 million in fraud worldwide.
Well, we note, is spelled W3LL because, of course, it is.
Led by the FBI's Atlanta Field Office, the takedown targeted the well fishing kit,
which allowed criminals to spoof login pages and steal credentials.
The kit sold for about $500 through the member-only well store,
active from 2019 to 2023,
and investigators believe the marketplace enabled the sale of over 25,000 compromised accounts.
Activity continued after the store's closure via encrypted messaging apps,
with more than 17,000 victims targeted between 2023 and 2025.
The FBI seized the well-dot-store domain and identified the suspected developer as GL.
Researchers at Group IB previously described well as a full business email compromise ecosystem,
supporting attacks across the fishing kill chain.
The Trump administration's proposed 2027 budget would reduce civilian federal cybersecurity spending
from $12.455 billion in 2026 to $12.28 billion of decline of about $227 million, with uneven impacts across
agencies. The Department of Justice and State Department would see the largest increases,
alongside smaller gains at transportation, commerce, housing, and urban development, and energy.
Major cuts would fall on the Department of Homeland Security, largely affecting
SISA, as well as the Department of Veteran Affairs and the National Science Foundation,
Health and Human Services, and Treasury. Notably, cybersecurity funding for the SEC and FCC would
drop to zero under the proposal. SISA alone could lose $707 million in hundreds of positions,
raising concerns about reduced collaboration with the private sector. Experts warn that
lower federal cyber investment amid rising nations.
state and criminal threats may increase long-term national risk and weaken public-private defense
partnerships. According to Iranian news sources, the Handala Hacking Group claims responsibility for a
cyber attack targeting three UAE institutions, the Dubai Courts Authority, Dubai Land Authority,
and Dubai Roads and Transport Authority. The group says it destroyed six petabytes of data and
exfiltrated 149 terabytes of sensitive documents, causing reported disruptions across Dubai's
legal and infrastructure systems. Handela framed the operation as political retaliation and warned
of further action. The claims, if accurate, suggest a significant challenge to the UAE's
critical infrastructure cybersecurity posture. Again, we emphasize these claims have not yet been
independently verified.
The Open Source Security Foundation is warning of a fishing campaign targeting software developers
through the To-do Group Slack workspace.
Attackers impersonate Linux Foundation leaders and promote a supposed invite-only artificial intelligence
tool to lure victims.
Targets are redirected through a fake Google workspace style page that requests an email,
access code, and installation of a malicious route certificate, enabling attackers to monitor
encrypted traffic and steal data.
The attack varies by platform.
On MacOS, victims are prompted to run a file called GAPI, potentially enabling full-system
compromise.
On Windows, users are urged to trust the fake certificate.
Researchers note similarities to recent campaigns against Node.js developers, which Mandiant
has linked to North Korean state-sponsored actors.
OpenSSF advises developers never to install certificates from unsolicited links and to enable multifactor authentication.
OpenAI says it was affected by the recent Axios supply chain attack linked by researchers to North Korean hackers.
Attackers compromised a maintainer's NPM account and briefly distributed malicious Axios packages containing a cross-platform remote access Trojan,
A GitHub Actions workflow used in OpenAI's MacOS app signing process executed the tainted version, exposing signing materials.
OpenAI believes its certificate was not compromised, but revoked and rotated it as a precaution.
Researchers observed infections on at least 135 machines.
Hackers began exploiting a critical vulnerability in the Marimo open source Python.
notebook platform within 10 hours of its disclosure. The flaw, rated 9.3 by GitHub, allows unauthenticated
remote code execution through the exposed terminal WS web socket endpoint. Researchers at SISDIG observed
attackers quickly validating access, conducting reconnaissance, and extracting credentials from
dot-env files and SSH-related locations in under three minutes. The vulnerability
affects multiple versions, particularly deployments exposed on shared networks in edit mode.
The attackers appeared to prioritize credential theft rather than persistence or crypto mining.
Maramo released an updated version to address the issue and advised users to upgrade immediately,
restrict endpoint access, monitor connections, and rotate potentially exposed secrets.
Hackers claiming to be the shiny hunters group say they be.
breached Rockstar games by accessing servers hosted by a third-party cloud provider and threatened to
release stolen data unless paid a ransom. Rockstar confirmed that a limited amount of non-material
company information was accessed, but said the incident had no impact on its operations or players.
The group, previously linked to breaches, including Ticketmaster, claims it will publish the data
after unmet demands.
The incident marks Rockstar's second major cyber attack in three years,
following a 2023 breach tied to a Lapsis member
that exposed early Grand Theft Auto 6 development footage.
Japanese shipping company Nippon-Yusan Kabushiki Kaisha
reported unauthorized access to a marine fuel procurement system
detected on March 24th, resulting in the possible exfiltry,
of data, including personal information. The company isolated the affected system and suspended its
use, restoring operations on March 27th. NYK notified regulators and police and launched an internal investigation.
It said there's no evidence of ransomware activity, financial demands, or secondary damage linked to the
incident so far. It's Monday, and that means we have our business breakdown.
Cybersecurity firms announced multiple funding rounds and acquisitions last week, led by 10x AI raising $250 million in Series B funding to expand hiring, partnerships, EMEA operations, and its artificial intelligence security operations platform.
Depth first secured $80 million to grow research and enterprise adoption, while Alcatraz and Link Security each raised $50 million,
to support expansion and product development.
Additional early stage funding went to Trent AI, Huskies, and Test of Things.
In mergers and acquisitions activity, Fortra acquired Zero Point Security
to expand offensive security training capabilities,
while EFECS acquired Priority 1 IT to strengthen healthcare sector technical services.
Be sure to check out our regular business briefing,
which publishes Wednesday on our website,
it's part of Cyberwire Pro.
Coming up after the break,
my conversation with Justin Kohler,
chief product officer at SpectorOps.
We're discussing identity attack path management
and crackdowns at home push scam networks abroad.
Stay with us.
And now a word from our sponsor,
Arcova, formerly Morgan Franklin Cyber.
Arcova is a global cybersecurity and AI consulting firm
built by practitioners who've been in the seat.
They work directly with enterprise teams to solve complex security challenges,
building secure-by-design programs that pulled up as technology and threats evolve.
From focused engagements to long-term partnership,
Arcova delivers outcomes that endure because no one should navigate complexity alone.
Learn why leading global enterprises trust Arcova at www.orgovna.com.
That's A-R-C-O-V-A.com.
No, it's not your imagination.
Risk and regulation really are ramping up,
and these days customers expect proof of security
before they'll even do business.
That's where Vanta comes in.
Vanta automates your compliance process
and brings compliance, risk, and customer trust together
on one AI-powered platform.
So whether you're getting ready for a SOC2
or managing an enterprise governance risk and compliance program,
Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and Writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time focused on growth.
For me, it comes down to this.
Over 10,000 companies from startups to large enterprises,
trust Vanta to help prove their security.
Get started at Vanta.com slash,
cyber.
Justin Kohler is chief product officer at SpecterOps.
I recently got together with him at the RSAC-2020s conference for this sponsored industry
voices interview discussing identity attack path management.
I think the interesting thing on the AI side is we are seeing what we call nation-state
level tradecraft come down to the masses, right?
You know, like it's really easy for us to launch really advanced attacks.
Now it's kind of easy for a lot of people.
I think the other fear of AI is not just launching super advanced attacks,
but a lot of mediocre attacks and just starting a fire over here so that people, you know, get distracted.
The reason why that's relevant to us in Bloodhound is you're not going to really be able to keep up with this
from a detection and response scenario.
I mean, maybe you can throw another AI agent and have them get into a race condition and race each other.
But from our perspective, you need to shut the door.
You need to shut down the opportunity because I think people, nobody today wants to look at another alert.
They want to make the problem go away.
Well, thanks for joining us once again.
Here we are on the floor at RSAC 2026.
And it is my pleasure to be joined by Justin Kohler.
He is the chief product officer at SpectorOps.
Justin, thanks so much for joining us.
Yeah, pleasure to be here.
Just the hum of the holes is, you know, getting over it.
And before we dig in, how's the show been for you?
Awesome. It's been a blur.
Yeah.
Really exciting.
But yeah, it's crazier every year.
Absolutely.
I want to dig into some of the things I've been hearing coming out of SpectorOps
this week and recently.
This whole idea of identity attack path management.
I want to make sure I get that right.
Can we dig into that?
What is that?
And why does it matter?
Yeah.
So we kind of realized that we were doing this for the last decade.
And then we put a name to it.
So if you don't know SpectorOps,
So we got our history started with penetration testing and red teaming.
And the way that we would accomplish our objective,
we stopped throwing exploits and just taking over boxes.
We usually took over an identity.
And historically, that was an active directory
because that's where people had their identities.
But as organizations have evolved their identities
in more hybrid environments, so like it could be Enter ID or AWS or GitHub or you name it,
there's identities everywhere.
And if we can take control over those identities, not only can we operate as them, but we can hide under the radar, if that makes any sense.
So we just use your permissions against you.
And that's what we mean by an identity attack path.
Basically, how can I turn my initial access victim?
So we might click on the wrong link or whatever.
Could be a non-human identity we take over from a repo and then turn that into more and more access.
And importantly, it's not about the initial identity we take over.
It's about how I can cascade that into, like, control over my account,
leads to control over your account, leads to a control over an admin account,
and then I can do whatever I want.
So that's what an identity attack path is.
Help me, can we dig into some of the details of how that plays out in the real world?
Can you walk me through if I start out with, I don't know,
I purchased something from an initial access broker or something to get into a system?
Yep.
What's my plan then for lateral movement through someone's organization?
Yeah, so you read about it a lot.
I mean, there was a really cool story about, from Google two weeks ago now, where they had some
initial access into a GitHub repository. And through chaining permissions in GitHub, they were actually
able to take over the CICD pipeline in AWS and then routed through AWS to take over the
AWS account and all the S3. So basically, like, and you see that more and more. I mean, fishing is getting
better, but also fishing controls are getting better. So now it's like, you mentioned like initial
access brokers. You just need somebody to like set the beacon early or or give you a way in and
then we just route through all the controls. I'll give you an example from from way back when in
active directory, if you land an active directory and if you pass the directory for all the information,
it just gives you all that information. That's how it functions. That's why we like these attack paths
are so hard because you can't patch them out. Like there's nothing to patch. This is how the system functions.
So we get basically we get the the map of your environment by just
asking the question, then it's just a matter of time of routing through all those misconfigurations
you put in over the last 20 years. And it's not just active directory. I mean, it's every cloud
system. They're so complex. And nobody can make sense of this in their head. At least not without
visualizing. That's where Bloodhound comes in. That's probably like the most popular way that
people understand attack paths. I mean, it's used in 95% of penetration tests. And Bloodhound
enterprise is now, you know, helping Enterprise customers handle that at scale.
Let's talk about Bloodhound. Yeah. How does that come in?
to play. People are using it in regard to
Open Graph. Yeah. Yeah. So Bloodhound,
so again, a little bit history here. We created Bloodhound
because we were just penetration testers and Red Teamers and we
wanted a faster way of doing our job. And instead of storing
all these, you know, this cascading permissions and identities,
instead of storing at all in Excel, we just threw it in a graph
database and created Bloodhound. So we basically created Google Maps
for attacking an organization. And then that was awesome.
But then we created another problem. And it was like, well,
now we can find all these attack paths. What can we do to shut them down? It's like, well,
we just break things. We don't know how to do that. So then we worked for like four or five years
to figure out how we would solve that problem. And Bloodhound Enterprise kind of flips that on its
head and says, okay, forget about all these attack paths. Let's focus on your most critical assets,
understand all the paths that could lead to them and then shut them down one by one. So think of it
like, I'm going to wall off a city. I understand all the roads that will go into that city. I'm
just going to block them off. And that sounds potentially esoteric and bad, but what that
really is doing is just separating your unprivileged identities from your privileged identities.
So it's basically just giving you the visibility to do the thing that we've been saying we should
do for 20 years. People have said, like, Active Directory should have shipped with Bloodhound.
I think any identity system should ship with Bloodhound. Open Graph is our pivot, not a pivot,
but just an opening of the aperture. So we used to be always focused in Active Directory,
and enter ID in a Microsoft-centric world,
which is good because, you know, again,
that's kind of where everybody started,
but we have AWS, we have GCP.
So last week we announced our first open graph extensions
for the new Bloodhound Enterprise
with JAMF, Octa, and GitHub.
So it's really interesting.
We've been attacking those systems for years,
and now we can show everybody
what we see when we land on the inside.
When you say visibility,
what are we talking about?
What do the customer get to see?
So you, let's say it as an admin,
as an identity team or as a security professional,
there's all these configurations that you're making, right?
And in isolation, maybe they look benign.
So think of like a user access request.
I need access to this resource.
Cool, here you go.
And then more and then more and then more.
We show you the culmination of that.
So you didn't realize that that permission you granted
four years ago to this help desk user or whatever
actually ends up connecting every low-privileged identity
in your environment to take over the entire.
entire environment. I mean, it's a bunch of cascading. It's like the, you know, it's like the
domino meme. It's like you start this thing and then you take over the organization.
That's exactly what we're showing. So it can be really eye-opening for people.
I actually had this funny blog post that I created when we first launched the product.
It was, is everybody this bad? Because I kept getting that question. Because they would deploy and
they'd be like, oh my gosh. Oh, I see. Yeah. Sure. And I was like, Tilly's tell me it's not just us.
Yeah. And I was like, yes, it is.
And that's why, like, I think a lot of security, I mean, let's pick on, not pick on the CISOs, but give them some credit to their fear.
They're like, we're living in fear of getting punched in the face.
So it's just a matter of time.
And I don't know where it's going to come from.
And I can answer that question.
I can map your next breach.
I can show you exactly how it's happening.
And then I can show you how to fix it more importantly.
So, and the numbers are against us.
I mean, the attack paths are usually measured in the millions, if not billions.
But the good thing is, again, the different.
approach we have is if you're focusing on your critical assets, you're really only talking about
maybe 10 to 12 different roads in. And so you can shut off millions of attack pass if you know
where to focus. We're here at RSA-C-20206, which means we would be...
AI. You saw me coming from a mile away. Oh, yeah. Oh, yeah. Yeah. So?
Yeah. So AI, so we see AI in a couple different ways as SpectorOps. And at Blankton,
blood down. So number one, AI has to use identity in some form or fashion. So it's either going to
be provisioned a specific identity that it uses for its role, or it's going to assume the user's
identity to accomplish the objective. The cool thing here is we have that mapped already. So if you're
provisioning identity, we do not discern between an AI identity or a user identity. They are all just
identities to us. So if we can use an AI identity or a non-human identity or a user identity to
attack the organization,
we're going to show you the same thing.
I think the interesting thing on the AI side is
we are seeing what we call nation-state level tradecraft
come down to the masses, right?
You know, like, it's really easy for us to launch really advanced attacks.
Now it's kind of easy for a lot of people.
I think the other fear of AI is not just launching super advanced attacks,
but a lot of mediocre attacks and just starting a fire over here
so that people get,
The reason why that's relevant to us in Bloodhound is you're not going to really be able to keep up with this from a detection and response scenario.
I mean, maybe you can throw another AI agent and have them get into a race condition and race each other.
But from our perspective, you need to shut the door.
You need to shut down the opportunity because I think nobody today wants to look at another alert.
They want to make the problem go away.
And that's where we can help, like a lot of people have been throwing a lot of detection focused workflows on this problem.
but it's saddling too much of the burden.
Like, we need to remove it and make detection more effective,
if that makes any sense.
How does the background of your organization,
your pedigree, the history of, as you say, pen testing,
how does that give you all a unique view,
a unique lens on all of these problems?
I would say we're very, we're very lucky in that sense.
I mean, we work with a lot of very large,
large, very interesting organizations.
We're a red team for OpenAI and Palantir.
So we get exposed to a lot of different new problems.
And I think that's the way that we think as a company.
We don't think, like, we don't think as a product company trying to create a product
to sell a product.
We were like, we're attacking organizations and we're getting in every time.
How can we stop ourselves?
So, because everybody was asking us out of business.
Yeah.
It's like, I mean, it's frustrating.
I mean, to a certain extent, we almost felt like we were doing our clients a disservice.
We'd come in and kick them in the face, and then, you know, the next year we'd come in and kick him in the face again.
And it's like, well, this isn't helping you.
How can we actually help you solve this problem?
And so that's why we created a power enterprise.
Well, Justin Kohler is Chief Product Officer at SpectorOps.
Justin, thanks so much for joining us.
Thank you.
There's a lot more to this conversation than we have time to share here.
So please check out the full unedited interview.
You can find a link to that in our show notes.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker DAC defense against configurations,
you get real assurance that your environment is free of misconfigurations
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CSO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile application.
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at
www.gardesquare.com.
And finally, in a piece for Wired, Lily Hay-Numann reports that governments keep trying to shut
down industrial-scale scam compounds across Southeast Asia.
but the operations often linked to Chinese organized crime and forced labor
continue to thrive with stubborn efficiency.
The FBI says Americans alone reported $17.7 billion in cyber-enabled scam losses last year,
likely an undercount.
U.S. officials argue a key obstacle is uneven cooperation from China,
which has cracked down on scams targeting its own citizens,
while foreign victims remain fair game.
Researchers say that approach has quietly encouraged syndicates
to pivot toward Americans and other international targets.
Meanwhile, the United Nations notes
scam centers are expanding their multilingual workforces
to match their global ambitions.
Analyst compare the dynamic to squeezing a balloon.
Pressure in one place simply bulges elsewhere.
The result is a familiar pattern,
in cybercrime diplomacy.
Everyone agrees.
Scams are bad.
Just preferably someone else's problem first.
And that's The CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out
the Grumpy Old Geeks podcast
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin, Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.