al3x@wannaCYbeR(security)~$ echo "Issue \x09"

Greetings, fellow cyber people, and welcome to the ninth issue of wannaCYbeR, a weekly newsletter dedicated to those who are just starting in cybersecurity. It’s been a week packed with news so far, from phishing attacks to emergency updates, so let’s dive in!

The Patch Roundup

• In case you missed it, last week a new vulnerability was discovered within the Spring Core Java framework called 'Spring4Shell' which can allow remote code execution. Even though this vulnerability doesn’t seem to be as impactful as ‘Log4shell,’ it’s still an obvious concern and VMware has released a patch for different products affected.
• Apple has recently released updates to patch zero-day vulnerabilities affecting both iOS and MacOS: update your devices.
• Last week, Google released an emergency update for Chrome, as a new vulnerability related to type confusion in the V8 JavaScript engine was being exploited in the wild. In a nutshell, this comes down to the fact that, if an object is accessed using an object type that’s incompatible with the one initially declared, out-of-buffer memory can be read and written, causing a crash and, possibly, remote code execution. Moral of the story: this is bad, update Chrome.

Armageddon Phishing Attacks

Phishing attacks going on around the Russian invasion of Ukraine are anything but over. After attempts from government-backed threat actors from China, Russia, and Belarus, the Ukrainian Computer Emergency Response Team discovered new phishing attempts made by the Russian group called Armageddon (“Gamaredon”), which is targeting both Ukrainian organizations and European government agencies with malware aimed at collecting intelligence. The group has been active since 2013 in targeting Ukrainian government officials.

Most of the techniques used by Gamaredon are aimed at cyber-espionage and file exfiltration and are accomplished by using Pteranodon, a custom backdoor that, according to researchers with Unit42 at Palo Alto Networks , is a fully-featured malware with capabilities that include:

• A mechanism for downloading and executing additional payloads of their choice
• The ability to scan system drives for specific file types
• The ability to capture screenshots
• The ability to remotely execute commands on the system in the user’s security context.

Learn more on MITRE ATT&CK’s pages for Gamaredon and Pteranodon .

The Evolution of FIN7

In other threat intelligence news, Mandiant researchers let us know that the APT group called FIN7 has been updating its arsenal with new ransomware tools. FIN7 is a threat actor that has been active since 2013 and has been targeting mostly “the U.S. retail, restaurant, and hospitality sectors.” The group recently shifted its tactics to using ransomware such as REvil and also owns a “ransomware as a service” (RaaS) called Darkside.

According to Mandiant researchers, FIN7 has started using a new backdoor called Powerplant, as well as “new versions of the BIRDWATCH downloader being developed, which are tracked as CROWVIEW and FOWLGAZE.” On top of that, the group’s first access techniques have expanded to include “software supply chain compromise and the use of stolen credentials, in addition to their traditional phishing techniques.”

Read more about FIN7 on Mandiant’s website.

Hydra Down

The German authorities have taken down Hydra, allegedly one of the biggest online darknet markets. The authorities report that the Russian-speaking .onion website had “17 million customer accounts (many individual buyers may have had several accounts, of course) and more than 19,000 seller accounts at the time they shuttered it.”

According to Naked Security by Sophos, “they started following up on a tip in the middle of 2021 that suggested the servers were actually hosted in Germany.” This allowed the authorities to proceed and shut down the marketplace.

More on Naked Security by Sophos.

LAPSUS$: “Advanced Persistent Teenagers”

After the Okta, Microsoft, Nvidia, and Samsung breaches, investigative cybersecurity reporter Brian Krebs takes an in-depth look at the “old-fashioned” techniques used by LAPSUS$, as well as traces back the group's story to a Twitter hack that happened in 2020:

“The group of teenagers who hacked Twitter hailed from a community that traded in hacked social media accounts. This community places a special premium on accounts with short “OG” usernames, and some of its most successful and notorious members were known to use all of the methods Microsoft attributed to LAPSUS$ in the service of hijacking prized OG accounts.”

Read more on KrebsOnSecurity.

Meme of the Week: Mimikatz vs Windows Defender

Special of the Week #1: DFIR Diva Training Collection

In my hunt for content and training material, I stumbled upon the excellent DFIR Diva , an initiative founded by Elan Wright , Incident Response Analyst and Cybersecurity Expert.

DFIR Diva features a broad collection of free and affordable training , events, webinars, CTFs, and other information in the Digital Forensics and Incident Response spaces. Topics range from forensics to programming, to malware analysis, to OSINT. If you’re particularly interested in Incident Response, there is also a free Incident Response Training Plan that you can follow starting from beginner-level classes.

Last, but not least, you can find a “Get Your Start in DFIR Scholarship Fund ” that provides financial aid for people who want to get started in the field and need financial support.

Check out the awesomeness of DFIR Diva.

Special of the Week #2: OSINT course by TCM Security

If you're interested in Open Source Intelligence, you can't miss this: The Cyber Mentor, aka Heath Adams from TCM Security , posted on YouTube the first half of TCM Security's OSINT course. It's packed with useful tools and information, including tips on geolocation, email harvesting, reverse image search, and even advice on how to create a sock puppet.

Watch it here or on The Cyber Mentor's YouTube channel.

That's all for this week. If you enjoyed the newsletter, please feel free to share it with your connections. Do you know of a great piece of content I should include? Don’t be shy, reach out!

P.S. In case you were wondering, I don't receive any compensation or sponsorship for the content I share. I do it just because I love to nerd out with other people on topics of common interest.