A

You're listening to the Cyberwire Network, powered by N2K.

B

Today's sponsor, Rapid7, has an irresistible invitation for you CISOs and security practitioners out there. A free two day virtual summit. The subject Preemptive security Join the Global CyberSecurity Summit on May 12th and 13th from wherever you like. A list speakers will show you how organizations are disrupting attacks before they can blowtorch your day. You'll see how exposure management, MDR and AI together let you make the decisive move. Registration is open at rapid7.brighttalk.com. The FBI disrupts a multimillion dollar phishing ring A North Korea linked supply chain attack hits OpenAI developers face a Slack phishing campaign A critical Python notebook flaws

C

exploited in hours Shiny Hunters Target Rockstar

B

Games a Japanese shipping firm reports a breach tracking the cybersecurity winners and losers in Trump's 2027 budget plus a claimed cyber attack on UAE infrastructure We got our Monday business breakdown. Our guest is Justin Kohler, Chief Product Officer at Spectre Ops, discussing identity attack path management and crackdowns at home Push scam networks abroad. It's Monday, april 13, 2026. I'm dave buettner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. Happy Monday. US And Indonesian law enforcement have dismantled well a phishing operation linked to more than $20 million in fraud worldwide. Well, we note, is spelled W3LL because of course it is led by the FBI's Atlanta Field Office. The takedown targeted the well phishing kit, which allowed criminals to spoof login pages and steal credentials. The kit sold for about $500 through the members only well Store Active from 2019 to 2023, and investigators believe the marketplace enabled the sale of over 25,000 compromised accounts. Activity continued after the store's closure via encrypted messaging apps with more than 17,000 victims targeted between 2023 and 2025. The FBI seized the well Store domain and identified the suspected developer as gl. Researchers at Group IB previously described well as a full business email compromise ecosystem supporting attacks across the phishing kill chain the Trump administration's proposed 2027 budget would reduce civilian federal cybersecurity spending from $12.455 billion in 2026 to $12.228 billion, a decline of about $227 million with uneven impacts across agencies. The Department of Justice and State Department would see the largest increases, alongside smaller gains at Transportation, Commerce, Housing and Urban Development and energy. Major cuts would fall on the Department of Homeland Security, largely affecting cisa as well as the Department of Veteran affairs, the National Science Foundation, Health and Human Services and Treasury. Notably, cybersecurity funding for the SEC and FCC would drop to zero. Under the proposal, CISA alone could lose $707 million and hundreds of positions, raising concerns about reduced collaboration with the private sector. Experts warn that lower federal cyber investment amid rising nation, state and criminal threats may increase long term national risk and weaken public private defense partnerships. According to Iranian news sources, the Handala Hacking group claims responsibility for a cyber attack targeting three UAE institutions, the Dubai Courts Authority, Dubai Land Authority and Dubai Roads and Transport Authority. The group says it destroyed six petabytes of data and exfiltrated 149 terabytes of sensitive documents, causing reported disruptions across Dubai's legal and infrastructure systems. HANDELA framed the operation as political retaliation and warned of further action. The claims, if accurate, suggest a significant challenge to the UAE's critical infrastructure cybersecurity posture. Again, we emphasize these claims have not yet been independently verified. The Open Source Security foundation is warning of a phishing campaign targeting software developers through the to do group Slack Workspace. Attackers impersonate Linux foundation leaders and promote a supposed invite only artificial intelligence tool to lure victims. Targets are redirected through a fake Google workspace style page that requests an email access code and installation of a malicious root certificate, enabling attackers to monitor encrypted traffic and steal data. The attack varies by platform. On macOS, victims are prompted to run a file called GAPI, potentially enabling full system compromise on Windows. Users are urged to trust the fake certificate. Researchers note similarities to recent campaigns against Node JS developers, which Mandiant has linked to North Korean state sponsored actors. OpenSSF advises developers never to install certificates from unsolicited links and to enable multi factor authentication. OpenAI says it was affected by the recent Axios supply chain attack linked by researchers to North Korean hackers. Attackers compromised a maintainer's NPM account and briefly distributed malicious Axios packages containing a cross platform Remote Access Trojan. A GitHub Actions workflow used in OpenAI's macOS app signing process executed the tainted version, exposing signing materials. OpenAI believes its certificate was not compromised, but revoked and rotated it as a precaution. Researchers observed infections on at least 135 machines. Hackers began exploiting a critical vulnerability in the Marimo Open Source Python notebook platform within 10 hours of its disclosure. The flaw, rated 9.3 by GitHub, allows unauthenticated remote code execution through the exposed terminal WSOCKET endpoint. Researchers at Sysdig observed attackers quickly validating access, conducting reconnaissance and extracting credentials from ENV files and SSH related locations in under three minutes. The vulnerability affects multiple versions, particularly deployments exposed on shared networks in edit mode mode. The attackers appeared to prioritize credential theft rather than persistence or crypto mining. Marimo released an updated version to address the issue and advised users to upgrade immediately, restrict endpoint access, monitor connections and rotate potentially exposed secrets. Hackers claiming to be the Shiny Hunters group say they breached Rockstar games by accessing servers hosted by a third party cloud provider and threaten to release stolen data unless paid a ransom. Rockstar confirmed that a limited amount of non material company information was accessed, but said the incident had no impact on its operations or players. The group previously linked to breaches, including Ticketmaster claims it will publish the data after unmet demands. The incident marks Rockstar's second major cyber attack in three years, following a 2023 breach tied to a Lapsus member that exposed early Grand Theft Auto 6 development footage. Japanese shipping company Nippon Yusen Kabushiki Kaisha reported unauthorized access to a marine fuel procurement system detected on March 24, resulting in the possible exfiltration of data, including personal information. The company isolated the affected system and suspended its use, restoring operations. On March 27, NYK notified regulators and police and launched an internal investigation. It said there's no evidence of ransomware activity, financial demands or secondary damage linked to the incident. So far it's Monday and that means we have our business breakdown. Cybersecurity firms announced multiple funding rounds and acquisitions last week, led by 10x AI raising $250 million in Series B funding to expand hiring partnerships, EMEA operations and its artificial intelligence security operations platform. Depth first secured $80 million to grow research and enterprise adoption, while Alcatraz and Link security each raised $50 million to support expansion and product development. Additional early stage funding went to Trent AI Huskies and Test of Things in mergers and acquisitions activity. Fortra acquired Zero Point Security to expand offensive security training capabilities, while Effects acquired Priority One IT to strengthen healthcare sector technical services. Be sure to check out our regular business briefing, which publishes Wednesday on our website. It's part of Cyberwire Pro. Coming up after the break, my conversation with Justin Kohler, chief product officer at Spectrops. We're discussing identity attack path management and crackdowns at home push scam networks abroad. Stay with us.

A

And now a word from our sponsor, arcova, formerly Morgan Franklin Cyber. Arcova is A global cybersecurity and AI consulting firm. Built by practitioners who've been in the seat, they work directly with enterprise teams to solve complex security challenges, building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading global enterprises trust arcova@www.arcova.com that's a R C O V A.com.

B

No, it's not your imagination. Risk and regulation really are ramping up and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me it comes down to this. Over 10,000 companies, from startups to large enterprises, trust Vanta to help prove their security. Get started@vanta.com cyber. Justin Kohler is Chief Product Officer at Spectrops. I recently got together with him at the RSAC 2026 conference for this sponsored Industry Voices interview discussing identity attack path management.

D

I think the the interesting thing on the AI side is we are seeing what we call nation state level tradecraft come down to the masses, right? You don't like, it's really easy for us to launch really advanced attacks now. It's kind of easy for a lot of people. I think the other fear of AI is not just launching super advanced attacks, but a lot of mediocre attacks and just starting a fire over here so that people, you know, distracted. The reason why that's relevant to us in Bloodhound is you're not going to really be able to keep up with this from a detection and response scenario. I mean maybe you can throw another AI agent and have them get into a race condition and race each other. But from our perspective, you need to shut the door. You need to shut down the opportunity because I think people, no, nobody today wants to look at another alert. They want to make the problem go away.

C

Well, thanks for joining us once again. Here we are on the floor at RSAC 2026 and it is my pleasure to be joined by Justin Kohler. He is the Chief product officer at SpectreOps. Justin, thanks so much for joining us.

D

Yeah. Pleasure to be here. Just the hum of the hall is getting over it.

C

Before we dig in, how's the show been for you so far?

D

Awesome. It's been a blur. Really exciting, but yeah, crazier every year.

C

Absolutely. I want to dig into some of the things that I've been hearing coming out of SpectreOps this week and recently. This whole idea of identity attack path management. I want to make sure I get that right. Can we dig into that? What is that and why does it matter?

D

Yeah, so we kind of realized that we were doing this for the last decade and then we put a name to it. So if you don't know SpectreOps, our history started with penetration testing and Red TV and the way that we would accomplish our objective. We stopped throwing exploits and just taking over boxes. We usually took over an identity. And historically that was an active directory because that's where people had their identities. But as organizations have evolved their identities in more hybrid environments. So like it could be Entra ID or AWS or GitHub or you name it, there's identities everywhere. And if we can take control over those identities, not only can we operate as them, but we can hide under the radar, if that makes any sense. So we just use your permissions against you. And that's what we mean by an identity attack path. Basically. How can I turn my initial access victim so who might click on the wrong link or whatever could be a non human identity. We take over from a repo and then turn that into more and more access. And importantly, it's not about the initial identity we take over, it's about how I can cascade that into like control over my account leads to. Control over your account leads to a control over an admin account. And then I can do whatever I want. So that's what an identity attack path is.

C

Help me, can we dig into some of the details of how that plays out in the real world? Can you walk me through if, if I start out with, I don't know, I purchased some, something from an initial access broker or something to get into a system.

D

Yep.

C

What's my plan then for lateral movement through someone's organization?

D

Yeah, so you read about it a lot. I mean, there was a really cool story about, from Google two weeks ago now where, where they had some initial access into a GitHub repository and through chaining permissions in GitHub they were actually able to take over the CICD pipeline and AWS and then routed through AWS to take over the AWS account and all the S3. So basically like. And you see that more and more. I mean, phishing is getting better, but also phishing controls are getting better. So now it's like you mentioned, like initial access brokers. You just need somebody to like set the beacon early or give you a way in. And then we just route through all the controls. I'll give you an example from way back when in Active Directory. If you land in Active Directory and if you ask the directory for all the information, it just gives you all that information. That's how it functions. That's why these attack paths are so hard, because you can't patch them out. There's nothing to patch. This is how the system functions. And so we get, basically we get the map of your environment by just asking the question. Then it's just a matter of time of routing through all those misconfigurations you put in over the last 20 years. And it's not just Active Directory. I mean, it's every cloud system. They're so complex. And nobody can make sense of this in their head, at least not without visualizing. That's where Bloodhound comes in. That's probably like the most popular way that people understand attack paths. I mean, it's used in 95% of penetration tests. And Bloodhound Enterprise is now helping enterprise customers handle that at scale.

C

Let's talk about Bloodhound. How does that come into play? People are using it in regard to Open Graph.

D

Yeah, yeah. So Bloodhound. So again, a little bit history here. We created Bloodhound because we were just penetration testers and red teamers and we wanted a faster way of doing our job. And instead of storing all these, you know, this cascading permissions and identities, instead of storing that all in Excel, we just threw it in a Graph database and created Bloodhound. So we basically created Google Maps for attacking an organization. And then that was awesome. But then we created another problem and it was like, well, now we can find all these attack paths. What can we do to shut them down? It's like, well, we just break things. We don't know how to do that. So then we worked for like four or five years to figure out how we would solve that problem. And Bloodhound Enterprise kind of flips that on its head and says, okay, forget about all these attack paths. Let's focus on your most critical assets, understand all the paths that could lead to them, and then shut them down one by one. So think of it like, I'm going to wall off a city I understand all the roads that go into that city, I'm just going to block them off. And that sounds potentially esoteric and bad, but what that really is doing is just separating your unprivileged identities from your privileged identities. So it's basically just giving you the visibility to do the thing that we've been saying we should do for 20 years. People have said Active Directory should have shipped with Bloodhound. I think any identity system should ship with Bloodhound. Opengraph is our pivot. Not a pivot, but just an opening of the aperture. So we used to be always focused in Active Directory and Enter ID and a Microsoft centric world, which is good because you know, again, that's kind of where everybody started. But we have aws, we have gcp. So last week we announced our first open graph extensions for the new bloodhound enterprise with Jamf, Okta and GitHub. So it's really interesting. We've been attacking those systems for years and now we can show everybody what we see when we land on the inside.

C

So when you say visibility.

D

Yeah.

C

What are we talking about? What is the customer get to see?

D

So you, let's say as an admin, as an identity team, or as a security professional, there's all these configurations that you're making, right. And in isolation, maybe they look benign. So think of like a user access request. I need access to this resource. Cool. Here you go. And then more, and then more, and then more. We show you the culmination of that. So you didn't realize that that permission you granted four years ago to this help desk user or whatever actually ends up connecting every low privileged identity in your environment to take over the entire environment. I mean, it's a bunch of cascading. It's like the, you know, it's like the domino meme. It's like you start this thing and then you take over the organization. That's exactly what we're showing.

C

Okay.

D

So it can be really eye opening for people. I actually had this funny blog post that I created when I, when we first launched the product. It was, is everybody this bad? Because I kept getting that question because they would deploy and they'd be like, oh my gosh.

C

Oh, I see.

D

Yeah, sure. And I was like, please tell me

C

it's not just us.

D

Yeah. And I was like, yes, it is. And, and that's why, like, I think a lot of security, I mean, let's pick on, not pick on the CISOs, but give them some credit to their fear. They're like we're, we're, we're living in fear of getting punched in the face. So it's just a matter of time. And I don't know where it's going to come from. And I can answer that question. I can map your next breach, I can show you exactly how it's happening, and then I can show you how to fix it. More importantly, so, and the numbers are against us. I mean, the attack paths are usually measured in the millions, if not billions. But the good thing is again, the different approach we have is if you're focusing on your critical assets, you're really only talking about maybe 10 to 12 different roads in. And so you can shut off millions of attack paths if you know where to focus.

C

So we're here at RSAC 2026, which means we would be AI. You saw me coming from a mile away.

D

Oh yeah. Oh yeah, yeah.

C

So, yeah.

D

So AI. So we see AI in a couple different ways as Spectre Ops and at Blowdown. So number one, AI has to use identity in some form or fashion. So it's either going to be provisioned a specific identity that it uses for its role, or it's going to assume the user's identity to accomplish the objective. The cool thing here is we have that mapped already. So if you're provisioning identity, we do not discern between an AI identity or a user identity. They are all just identities to us. So if we can use an AI identity or a non human identity or a user identity to attack the organization, we're going to show you the same thing. I think the interesting thing on the AI side is we are seeing what we call nation state level tradecraft come down to the masses. Right? You don't like. It's really easy for us to launch really advanced attacks now. It's kind of easy for a lot of people. I think the other fear of AI is not just launching super advanced attacks, but a lot of mediocre attacks and just starting a fire over here so that people get distracted. The reason why that's relevant to us in Bloodhound is you're not going to really be able to keep up with this from a detection and response scenario. I mean, maybe you can throw another AI agent and have them get into a race condition and race each other. But from our perspective, you need to shut the door, you need to shut down the opportunity. Because I think people, nobody today wants to look at another alert. They want to make the problem go away and that's where we can help. A lot of people have Been throwing a lot of detection focused workflows on this problem, but it's saddling too much of the burden. We need to remove it and make detection more effective, if that makes any sense.

C

How does the background of your organization, your pedigree, the history of, as you say, pen testing, how does that give you all a unique view, a unique lens on all of these problems?

D

I would say. We're very lucky in that sense. I mean, we work with a lot of very large, very interesting organizations. We're the red team for OpenAI and Palantir. So we get exposed to a lot of different new problems. And I think that's the way that we think as a company. We don't think like, we don't think as a product company trying to create a product to sell a product. We were like, we're attacking organizations and we're getting in every time. How can we stop ourselves? So. Because everybody was asking that. Yeah, it's like, I mean, it's frustrating. I mean, to a certain extent, we almost felt like we were doing our clients a disservice. We'd come in and kick them in the face and then, you know, the next year we'd come in and kick them in the face again. And it's like, well, this isn't helping you. How can we actually help you solve this problem? And so that's why we created Bloodhound Enterprise.

C

Well, Justin Kohler is chief product officer at SpectreOps. Justin, thanks so much for joining us.

D

Thank you.

B

There's a lot more to this conversation than we have time to share here, so please check out the full unedited interview. You can find a link to that in our show. Notes.

D

Foreign.

B

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With ring Fencing, you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose Threat Locker? To minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security. Good enough is a risk. A recent Survey shows that 72% of org organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And finally, in a piece for Wired, Lily Hay Newman reports that governments keep trying to shut down industrial scale scam compounds across Southeast Asia, but the operations often linked to Chinese organized crime and forced labor, continue to thrive with stubborn efficiency. The FBI says Americans alone reported $17.7 billion in cyber enabled scam losses last year, likely an undercount. U.S. officials argue a key obstacle is uneven cooperation from China, which has cracked down on scams targeting its own citizens while foreign victims remain fair game. Researchers say that approach has quietly encouraged syndicates to pivot toward Americans and other international targets. Meanwhile, the United nations notes scam centers are expanding their multilingual workforces to match their global ambitions. Analysts compare the dynamic to squeezing a balloon. Pressure in one place simply bulges elsewhere. The result is a familiar pattern in cybercrime diplomacy. Everyone agrees scams are bad, just preferably someone else's problem first. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian Show. Every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

E

Ryan Reynolds here from Mint Mobile with a message for everyone paying Big Wireless way too much. Please, for the love of everything good in this world, stop with Mint. You can get premium wireless for just $15 a month. Of course, if you enjoy overpaying, no judgments. But that's weird. Okay, one judgment anyway, give it a try@mintmobile.com Switch upfront payment of $45 for three month plan equivalent to $15 per month required intro rate first three months only, then full price plan options available, taxes and fees extra. See full terms at Mintmobile. Do.