Risky Biz News: Gen. Nakasone asked to remain in charge of NSA and CYBERCOM for one more year

In other news: Apple, Google, and Microsoft commit to FIDO standard and passwordless logins; GitHub to force devs to use 2FA.

This newsletter is brought to you by Airlock Digital, Rumble Network Discovery, Proofpoint, and Thinkst Canary. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

US officials have asked Gen. Paul Nakasone to remain in charge of both the NSA and US Cyber Command for at least one more year, The Record reported, citing sources close to the US official.

Gen. Nakasone—who has been in charge of both agencies since 2018—has indicated to sources that he would agree to the extension to get a chance to further develop initiatives he started at the NSA and also help secure the midterm elections.

The report comes on the heels of several comments Gen. Nakasone made on Wednesday during a roundtable discussion at Vanderbilt University, where he said that CYBERCOM conducted nine "hunt forward" missions last year. The missions involved deploying staff in allied countries to help them identify adversaries in their networks.

One of the missions was in Ukraine, and the agency is still executing hunt-forward missions, with the most recent one taking place in Lithuania, the agency said in a press release. In total, Gen. Nakasone said that CYBERCOM conducted 28 such missions in 16 different countries over the last four years, a sign of the agency's growing role in countering foreign nation-state threats.

Breaches and hacks

Heroku breach: Heroku said on Thursday that a threat actor has gained access and stolen (hashed and salted) passwords for Heroku customer accounts. The company said this is the same threat actor who gained access to OAuth tokens in early April and used them to access and search its customers' GitHub profiles for sensitive source code in a security breach first disclosed by GitHub on April 15. In the weeks after GitHub's disclosure, Heroku has come under heavy criticism for not providing its customers with actionable information about the incident and what was compromised, especially after some customers were asked to reset passwords without any explanation earlier this week.

Bulgaria: The LockBit ransomware gang bragged this week that they've successfully breached and encrypted files on the network of the Bulgarian government agency responsible for refugee management. While the LockBit gang is believed to have ties to Russia and while Bulgaria hosts Ukrainian refugees, there is no evidence to suggest the attack is politically-motivated and more than a typical extortion attempt.

Alcohol supply in Russia: A series of DDoS attacks carried out by Ukraine's IT Army on EGAIS, a government system used to control and regulate alcohol production in Russia, is apparently causing production delays and supply chain issues across the country. According to Russian "alcohol" media (because that's apparently a thing), alcohol factories and warehouses are very dependent on the EGAIS system, which they use to control supply volumes and avoid overstocking, and some beer factories had to temporarily shut down operations because of EGAIS being down.

General tech and privacy

Passwordless goes mainstream: Apple, Google, and Microsoft announced on Thursday plans to expand support for the FIDO standards inside their core products. At a technical, support for "passwordless" logins will mean that devices from the three companies will be able to handle a FIDO sign-in credential (referred to as a passkey) that will be stored on their devices. This passkey will be used when users want to sign up or log into mobile apps or websites. Instead of a password, their devices will provide this cryptographic-secure passkey instead. The FIDO Alliance said that the passkey wouldn't be shared unless users prove they are in control of the device by authenticating with a PIN, face scan, fingerprint, or even another nearby device (such as a smartphone). In a press release, the FIDO Alliance said it expects Apple, Google, and Microsoft devices and services to start supporting these new FIDO passkeys within the next year.

GitHub goes full 2FA: GitHub took steps on Wednesday to bolster the security of its ecosystem. The company announced that it will require all users who contribute code on projects hosted on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. According to the company, only 16.5% of current GitHub users have 2FA enabled, which is in itself a large adoption rate, compared to Twitter, where only 2.3% of users use 2FA.

Google bad ads: Google, the world's largest online advertiser, said this week that it removed over 3.4 billion bad ads from its platform last year and blocked more than 5.7 billion ads even before they were published.

Government, politics, and policy

Quantumpocalypse: The White House issued a memorandum on Wednesday ordering federal agencies to prepare for a future where quantum computers will be able to break common cryptography algorithms. White House officials tasked CISA, the NSA, and NIST to create an inventory of currently used cryptographic systems and look for quantum-resistant alternatives, including solutions from the private sector. US officials made a move this week after several news reports last month suggested that China had taken the lead in quantum computing development.

EU unified health records: The EU announced this week plans to create a unified digital health records system under a new project named the European Health Data Space (EHDS).

Supply chain security guidelines: The National Institute of Standards and Technology (NIST) has released updated guidance on securing supply chains against compromises and cyberattacks.

CCP handover: The UK National Cyber Security Centre (NCSC) has announced its intention to hand over the management and administration of the Certified Cyber Professional (CCP) certification program to a third-party organization, the UK Cyber Security Council. A timeline will be announced next week at CYBERUK 2022.

South Korea and NATO: South Korea's intelligence agency said on Thursday that the country joined a cyber defense group under the North Atlantic Treaty Organization (NATO), becoming its first Asian member country. The National Intelligence Service (NIS) said that South Korea, along with Canada and Luxembourg, have been admitted into the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), a think-tank based in Tallinn, Estonia, that supports member nations and NATO with interdisciplinary cyber defense research, training, and exercises.

Cybercrime and threat intel

UNC2903: A threat actor tracked as UNC2903 has found a method to move laterally inside compromised AWS environments by abusing Instance Metadata Service (IMDS), an AWS feature that provides metadata (and sometimes even access keys) inside internal networks for debugging purposes, according to a Mandiant report published on Wednesday. While the IMDS v2 API is available with better security, Mandiant said that Amazon still provisions new AWS EC2 clusters with the old IMDS v1 API, exposing customers to abuse in situations where they run systems with default setups. The Mandiant report contains instructions on how to check AWS infrastructure for the IMDS API version and recommends updating to the latest one.

BEC is king: Business Email Compromise (BEC) scams are shaping up to be the most profitable form of cybercrime ever. In a report on Wednesday, the FBI Internet Crime Center said it received reports of more than $43 billion lost to BEC scams between June 2016 and December 2021, a number that many experts believe is only a subset of the actual losses since many international victims don't report these types of incidents to the FBI.

Docker abuse: A CrowdStrike report published this week suggests that members of the Ukrainian IT Army have been hacking into Docker servers and abusing the systems to carry out DDoS attacks against Russian and Belarussian websites. Crowdstrike based its assessment on lists of domains that were attacked from the compromised systems and lists shared by the IT Army with its members.

Sharing is caring: The team at Fastly published a blog post with instructions and tips on how to find signs of suspicious network traffic in firewall logs, a sign that may indicate that a network has been compromised and an attacker is already inside.

Hive ransomware leak: An unidentified individual leaked on Thursday credentials for an account on the Hive ransomware-as-a-service. The credentials were leaked on a new cybercrime forum named Breached, launched to replace the defunct RAID Forums. The individual appears to be a former HIVE affiliate who shared the credentials on the forum after not receiving payments for four attacks they conducted on behalf of the HIVE gang. The HIVE RaaS account was eventually suspended and stopped working a few hours after the leak, threat intel analysts reported.

Tool releases: Nettitude has released two tools this week. The first is MalSCCM, a tool that allows you to abuse local or remote SCCM servers to deploy malicious applications to hosts they manage. The second is  SharpWSUS, a C# tool for lateral movement through WSUS.

Malware technical reports

NetDooka: Trend Micro has published a report on NetDooka, a malware strain distributed as a second-stage payload in PrivateLoader infections. The company said this new malware strain is a complex toolkit that supports a wide set of malicious components that can act as loaders, droppers, RATs, and even a kernel driver that acts to protect the RAT component; making it one of the most sophisticated threats discovered in recent months.

Malware in Windows event logs: Kaspersky has published a report about a new technique employed by some malware authors—namely, hiding malware inside Windows event logs.

Raspberry Robin: Red Canary has published a report on Raspberry Robin, a new malware strain that spreads using a worm-like behavior via infected USB devices.

Rebuttal: ESET has published a rebuttal of a Cluster25 report published on Monday that linked the IsaacWiper malware to the RansomEx (Vatet) ransomware gang.

APTs and cyber-espionage

CuckooBees: Cybereason researchers published a report on Wednesday about a Chinese threat actor that has been active since 2019. The company said the group engaged in extensive espionage and intellectual property theft from technology and manufacturing companies located in North America, Europe, and Asia.

Mustang Panda: Cisco Talos has a more in-depth look at campaigns carried out by the (Chinese-linked) Mustang Panda APT across Europe, campaigns that followed in the aftermath of Russia's invasion of Ukraine.

Vulnerabilities and bug bounty

2014 bugs: CISA added five new actively-exploited vulnerabilities to its KEV database on Wednesday. All five bugs are old vulnerabilities disclosed in previous years, and three of them are from 2014, with one being the Heartbleed bug in OpenSSL. CISA has given federal agencies until May 25 to patch all systems for the five issues.

Android attacks: The Android project has also released security updates this week. They include a fix for CVE-2021-22600, a carry-over vulnerability from the Linux kernel that can be used for elevation of privilege attacks. The Android team said the bug was "under limited, targeted exploitation." The same vulnerability was also exploited in the wild against Linux systems, CISA said last month.

AVG and Avast bugs: Security firm SentinelOne said it identified vulnerabilities (CVE-2022-26522 and CVE-2022-26523) in the Avast Anti-Rootkit Driver, used inside AVG and Avast security products, that could be used to escalate an attacker's privileges and even disable locally installed security programs. This is the same driver that the AvosLocker ransomware gang installed on compromised networks on purpose to elevate privileges and disable security software, per a Trend Micro report published just days before.