Iran's covert cyber operations exposed.

The DOJ indicts four Iranian nationals on hacking charges. Legislation to ban or force the sale of TikTok heads to the President’s desk. A Russian hack group claims a cyberattack on an Indiana water treatment plant. A roundup of dark web data leaks. Mandiant monitors dropping dwell times. Bcrypt bogs down brute-forcing. North Korean hackers target defense secrets. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey. On our Industry Voices segment, Tony Velleca, CEO of CyberProof, joins us to explore some of the pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness. Ransomware may leave the shelves in Sweden’s liquor stores bare. 

Today is April 24th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The DOJ indicts four Iranian nationals on hacking charges. 

The U.S. government has indicted four Iranian nationals for hacking operations targeting various U.S. entities, including the Treasury and State Departments, defense contractors, and two New York-based companies, allegedly for the Iranian Islamic Revolutionary Guard Corps (IRGC). They face charges of computer fraud and wire fraud, with potential sentences ranging up to 20 years for each count of wire fraud. Additionally, the Treasury Department has sanctioned these individuals, and the State Department is offering up to $10 million for information leading to three of the men. The operations involved two IRGC front companies and lasted from 2016 to at least April 2021, primarily targeting defense contractors and other U.S. businesses.

Legislation to ban or force the sale of TikTok heads to the President’s desk. 

Congress has passed legislation mandating the sale or ban of TikTok due to national security concerns related to its Chinese ownership, ByteDance. The bill, which received strong bipartisan support, was part of a larger package that also included aid for Israel, Ukraine, and Taiwan. The Senate approved it with a significant majority, and President Biden is expected to sign it into law. Once enacted, ByteDance will have about nine months, extendable by 90 days, to divest TikTok. The legislation highlights the serious concerns about potential Chinese government access to American data through TikTok, despite the app's economic and cultural influence in the U.S. TikTok disputes these claims and plans to legally challenge the legislation, arguing it infringes on free speech rights. The move marks a significant step in the U.S. government's ongoing scrutiny over foreign technology influences and data security.

A Russian hack group claims a cyberattack on an Indiana water treatment plant. 

A hacker group known as the Cyber Army of Russia has claimed responsibility for a cyberattack on the Tipton Wastewater Treatment Plant in Indiana, as revealed in a video on their Telegram channel. Despite the group's claim, local officials confirmed the attack but stated that the facility continued to operate normally with minimal disruption. The group, which has been linked to the Russian state actor Sandworm by the security firm Mandiant, has a history of targeting U.S. infrastructure and portrays itself as a hacktivist collective. The true extent of the damage from the attack remains unclear as investigations are still ongoing.

A roundup of darkweb data leaks. 

The SOCRadar Dark Web Team discovered a database leak from Honda Vietnam containing sensitive customer information. This leak is part of a broader collection of cyber threats the team has discovered being offered on dark web markets, including a new insider information service and a malware service which endanger corporate and email security. Moreover, sensitive data of Chinese citizens using Huawei and iPhones, obtained from major carriers, is being marketed. Additional detected threats include unauthorized network access for sale to a French construction company, and data from critical U.S. airports also on sale. 

Mandiant monitors dropping dwell times. 

Mandiant’s M-Trends 2024 report indicates a notable improvement in global cybersecurity, with the median dwell time for attackers within systems dropping to just 10 days in 2023 from 16 days in 2022. This reduction is attributed to a higher proportion of ransomware incidents and better internal detection capabilities, as organizations have enhanced their systems' defenses. Despite this progress, the report highlights a rise in the use of zero-day exploits by attackers to evade detection and extend their presence in compromised systems. Notably, the Asia-Pacific region saw the most significant decrease in dwell time, while the EMEA region experienced a slight increase. The report stresses the importance of maintaining vigilant threat hunting and effective incident response strategies to counter these evolving cyber threats.

Bcrypt bogs down brute-forcing. 

The latest analysis on brute-force password cracking from Hive Systems now focuses on passwords hashed with Bcrypt, shifting from the less secure MD5 algorithm. Using NVIDIA GeForce RTX 4090 GPUs, the study found that passwords under seven characters can be cracked within hours. Comparatively, weak 11-character passwords now take 10 hours to crack with Bcrypt, a significant improvement from being instantly broken last year. Strong passwords exceeding eight characters—featuring a mix of numbers, symbols, and mixed-case letters—remain secure for months or even years. Hive's results highlight the robustness of Bcrypt for protecting well-constructed passwords and caution against the predictability of non-randomly generated passwords, which can be cracked much faster.

North Korean hackers target defense secrets. 

South Korean police have exposed a substantial hacking campaign by North Korea that compromised defense secrets from up to 83 defense contractors and subcontractors over a year. The campaign, led by North Korean state-backed groups Lazarus, Kimsuky, and Andariel, successfully extracted sensitive data from 10 companies between October 2022 and July 2023. Many targeted companies were oblivious to the breaches until notified by police. Techniques used included exploiting email vulnerabilities to download files without authentication, hijacking accounts with poor password practices, and malware introduction through compromised third-party maintenance accounts. 

Meanwhile, North Korean hackers exploited the update mechanism of eScan antivirus to deploy the GuptiMiner malware on large corporate networks, according to a report by Avast. This sophisticated malware, hidden within normal antivirus updates, gains system-level access through DLL sideloading, using eScan's legitimate operations. It then fetches additional payloads, establishes persistence, and manipulates DNS, among other malicious activities. GuptiMiner also checks for the presence of specific security and monitoring tools to avoid detection and executes on machines with sufficient hardware resources to evade sandbox detection. Despite remediation efforts by eScan, including more secure update protocols, infections persist, suggesting some systems remain vulnerable. Avast links GuptiMiner to the North Korean group Kimsuki based on operational similarities.

 

Today, we’ve got the next installment of Joe Carrigan’s CISSP journey with N2K’s Sam Meisenberg on the Learning Layer. Sam and Joe discuss content and study strategies for CISSP Domain 3 Security Architecture and Engineering, and discuss encryption and non-repudiation. 

You can find details of what Joe and Sam discussed in our show notes. 

Next up, we’ve got ourIndustry Voices segment with Cyberproof’s CEO Tony Velleca. Tony explores some pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness.

Welcome back. We’ve got more detail on what Tony talked about in our show notes. 

 

Ransomware may leave the shelves in Sweden’s liquor stores bare. 

A ransomware attack has left Sweden's exclusive liquor distributor scrambling, potentially leaving the shelves of the nation’s sole alcohol retailer sparse by week's end. The cyber-assault has been attributed to a North Korean group by the distributor’s CEO, and threatens not just the availability of spirits but also the essential paper bags needed to carry them home.

This digital drama unfolds as Sweden revamps its National Cyber Security Centre, integrating it with the country's signals intelligence to enhance its cyber defense, following what the government criticized as subpar performance. The urgency for better security measures was underscored earlier in the year when Tietoevry, a major cloud services provider in Sweden, also fell victim to a ransomware attack, impacting numerous customers and forcing some store closures. Clearly, Sweden’s digital defenses are being tested as they work to cork these cybersecurity shortfalls.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.