Read Time: 9 minutes

Brought to you by:

Howdy friends!

Broke 100 degrees here in Texas this week, so if you’re not here - be grateful. I also can’t believe how booked I am lately. Between content creation and running the businesses, I’m going a million miles a minute. Really appreciative right now of all the people around me who help and support, it’s the only way I can keep going.

ICYMI

🖊️ Something I wrote: the first place I ever met any infosec people.

🎧️ Something I heard: Unified Entity Context: The AI Stack Everyone is Building Without Realizing It

🎤 Something I said: Ran through some crazy intel reports about this massive wave of ClickFix hacking campaigns.

📣 Something you’ll find cool: Run through of Dropzone’s AI SOC tool under the hood*

🔖 Something I read: Building Under Constraint: The $10M/Employee Playbook

*Sponsor

Vulnerable News

Coinbase says customers’ personal information stolen in data breach

Coinbase just dropped a bombshell about an insider threat they've been dealing with. Some overseas support agents got bribed to steal customer data for less than 1% of users, which scammers then used for social engineering attacks. The crooks grabbed names, addresses, ID images, and account histories – but crucially, no passwords, private keys, or actual funds. When the attackers demanded a $20 million ransom to keep quiet, Coinbase told them to pound sand.

Instead of paying criminals, Coinbase is flipping the script with a $20 million reward fund for information leading to arrests.(!!) They're also reimbursing any customers who got tricked into sending funds to the scammers, implementing extra verification steps for high-risk transactions, and opening a new support hub in the US with tighter controls. (read more)

SOC analysts waste 75% of time on repetitive alerts—AI Context Memory helps*

Most security tools generate alerts without understanding your environment's unique context. That's why analysts repeatedly investigate the same alerts, spending 40 minutes on investigations that should take minutes.

Dropzone AI's Context Memory works differently. It learns which VPNs are approved, when maintenance windows occur, and what 'normal' looks like in your specific environment. By retaining this organizational knowledge, their AI SOC analyst reduces Mean Time to Conclusion up to 95% without requiring playbooks or coding.

Try the self-guided demo to see the difference in real-time.

*Sponsored

North Korean IT Workers Are Being Exposed on a Massive Scale

DTEX researchers just dropped 1,000 email addresses linked to these DPRK scammers. They've also named two specific guys - "Naoki Murano" and "Jenson Collins" - complete with photos showing them living it up with steak dinners and private pool parties while based in Laos (before relocating to Russia). Murano's not just coding for cash, he's been linked to a $6 million crypto heist at DeltaPrime last year.

Cryptocurrency investigator ZachXBT published crypto and personal info on more than 20 North Korean IT workers while digging into Murano. Coinbase then also linked Murano to the DeltaPrime incident.

These aren't just random freelancers. They're part of Kim Jong-un's organized cyber operation that's stealing billions for the regime's weapons program. The workers get quotas and typically keep only pocket change (like $200 from a $5,000 monthly salary). They're using face-changing software during interviews and AI assistants to answer questions in real-time. (read more)

Forget IPs: using cryptography to verify bot and agent traffic

Cloudflare's tackling the messy problem of bot identification with some slick crypto solutions. They're introducing two methods for legit bots to prove who they are: HTTP Message Signatures and request mTLS. The current system of checking IP addresses and User-Agent headers is basically broken. IPs change constantly and headers are trivial to spoof. With their new approach, bots can cryptographically sign their requests, giving sites a reliable way to know if that's really GoogleBot or just an impostor.

The HTTP Message Signatures method looks particularly promising. OpenAI's already started implementing it for their Operator traffic. It works by having the bot sign requests with a private key, while origins can verify the signature using a corresponding public key.

For the more hardcore folks, they're also experimenting with request mTLS, which uses client certificates during the TLS handshake. Both approaches should help cut through the noise and let site owners make better decisions about which bots to welcome and which to block. They've got example code up on GitHub if you want to kick the tires yourself. (read more)

Here’s why you should ditch custom scripts for a low-code platform*

More security teams are moving away from custom scripts like Python, PowerShell, and Bash in favor of low-code platforms. Why? Tines’ new guide breaks it down.

Inside, you'll find:

• Potential pitfalls of building automation with custom code

• A side-by-side comparison of a low-code platform like Tines vs Python across HTTP requests, webhooks, data manipulation, and more

• A case study of automating a Slack news feed for threat intel, built in both custom code and low-code

Get the guide.

*Sponsored

White House scraps plan to block data brokers from selling Americans’ sensitive data

The White House just backed down from a proposed rule that would have prevented federal agencies from working with data brokers who sell Americans' sensitive personal data. This rule, originally announced in September, would have forced data brokers to choose between lucrative government contracts or continuing to sell personal data to foreign buyers. After pushback from the Data & Marketing Association (the industry's lobby group), the Office of Management and Budget quietly killed it.

Just last year we saw multiple cases of Chinese firms purchasing American health records and location data through these brokers. The reversal suggests the data broker industry's influence in DC remains strong, despite bipartisan support for data privacy reform. (read more)

Cybersecurity incident forces largest US steelmaker to take some operations offline

Nucor, North America's largest steel manufacturer, had to temporarily shut down some operations after detecting unauthorized access to their IT systems. They're being pretty tight-lipped about the specifics, but with $7.83B in Q1 sales and 300 locations, this is a significant hit to US steel production. They've got their incident response plan running and took affected systems offline while they sort things out. (read more)

Xinbi Telegram Market Tied to $8.4B in Crypto Crime, Romance Scams, North Korea Laundering

A massive Chinese-language Telegram marketplace called Xinbi Guarantee has been exposed for facilitating $8.4B in illicit transactions since 2022. The platform, masquerading as a legitimate Colorado-based company, serves as a one-stop shop for everything from romance scam infrastructure to North Korean money laundering. They actually registered as a corporation in Colorado under a fake name before going "delinquent" for missing filings.

Q4 2024 alone saw over $1B in transactions, dwarfing traditional darknet markets. The platform's 233,000 users can access Starlink equipment, fake IDs, stolen databases, and even more disturbing services like stalking and human trafficking. Telegram has now shut down thousands of channels belonging to Xinbi and its sister market HuiOne, disrupting operations that collectively processed over $35B in USDT. (read more)

The cryptography behind passkey

A lot of us security people have been drooling over passkey and their adoption. Trail of Bits are some of the smartest on the planet, and they did a great write up of the under the hood.

Passkeys are basically just public-key cryptography dressed up for the web. When you register a passkey, the website saves your public key while your device keeps the private key, which it uses to sign authentication challenges. The magic sauce is WebAuthn's origin binding: your passkey is cryptographically tied to the specific domain that created it, so phishing sites can't trick you into authenticating to the wrong place. Your authenticator (built into your device or a separate hardware key) won't sign challenges for fake-bank.com when your passkey belongs to bank.com.

While passkeys are a massive upgrade from passwords, they're not invincible. If your browser is compromised, it could lie about what site you're actually authenticating to. The security also depends on your authenticator keeping private keys safe. A hacked device or counterfeit hardware key could leak them. There are some cool cryptographic extensions being developed too, like the ability to derive encryption keys or store sensitive data using your passkey. (read more)

South Korean researchers uncover another cyber-espionage campaign from the North

North Korea's hackers are keeping busy with a fresh espionage campaign from APT37 (aka ScarCruft) targeting South Korean national security organizations. The group is phishing victims with some pretty timely bait. Emails offering intel on North Korean troops in Russia or fake invites to security conferences, complete with malicious Dropbox links. Once clicked, these links trigger PowerShell commands that deploy RoKRAT, a nasty little tool that harvests system info and grabs screenshots for the attackers to analyze later.

They've been consistently targeting South Korean experts and organizations for years, typically using cloud services like Dropbox, Yandex, OneDrive, and Google Drive to slide under the radar. Interestingly, researchers found Russian Yandex email accounts tied to this campaign, though they couldn't determine if these were compromised accounts or something else. It's part of a broader pattern, as another North Korean group (TA406) was just caught targeting Ukrainian government entities, and the Konni group has been hitting both South Korean and Russian targets since 2021. (read more)

Hard-coded API key in AI note taking app exposed users’ private meeting transcripts

Here's a good reminder that AI notetaking apps are handling some seriously sensitive stuff. Researchers found a hard-coded API key sitting right in Granola's desktop app that could've let anyone pull down other users' meeting transcripts. The attack was just a curl request to an unauthenticated endpoint to grab the AssemblyAI key, then use it to access the transcript API. No auth required.

The good news is Granola handled this well. The bug was caught during TestFlight beta testing and fixed before hitting the general public, with the key being revoked within minutes of disclosure. No audio was exposed, just text transcripts. Still, it's a wake-up call for the whole AI note-taking space that's swimming in VC money (about $850M raised in 2024-25). When these tools are recording everything from product roadmaps to sensitive customer convos, they need to be treated like the critical infrastructure they've become. (read more)

ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities

Russian hackers (likely APT28/Fancy Bear) have been running a global spy campaign dubbed 'RoundPress' since 2023, targeting government webmail servers with some impressively low-friction XSS exploits. Victims just need to open an email, no clicks required, and the embedded JavaScript starts stealing credentials and emails. ESET researchers found they're hitting multiple webmail platforms including Roundcube, MDaemon, and Zimbra, mainly at government organizations across Ukraine, Greece, Serbia, Ecuador, and several other countries.

The attackers are leveraging both known and zero-day flaws, with each payload tailored to the specific webmail product. They're creating invisible input fields to trick password managers into auto-filling credentials and exfiltrating everything from email content to 2FA info via HTTP POST requests. (read more)

FBI: US officials targeted in voice deepfake attacks since April

Scammers are sending both text messages and eerily convincing AI-voiced calls pretending to be senior government officials to establish trust before dropping malicious links. Their targets are current and former high-ranking federal and state officials and their contacts. Once they compromise one official's account, they use it to access other government contacts and continue the chain of deception.

The FBI has been warning about deepfake threats since 2021, and we've seen similar tactics used against LastPass last year when attackers impersonated their CEO's voice to target an employee. With AI voice tech getting better by the day, these phishing attacks are only going to get more convincing. The old "let me call you back on your official number" trick might be your best defense here. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay