Numerous systems of a European non-governmental organization have been breached by Russian state-sponsored threat operation Turla with the TinyTurla-NG backdoor in an attack that commenced in October, The Hacker News reports.
After conducting an initial compromise in October, Turla deployed custom Chisel tunneling software to expand infections across other systems in December before proceeding with data exfiltration activities a month later, according to a report from Cisco Talos. Further examination of the attack campaign, which was found to be mostly targeted at Poland-based entities, revealed that initial access exploitation has been performed by Turla to facilitate Microsoft Defender antivirus exclusion configurations and deploy TinyTurla-NG, which then enables reconnaissance efforts. "Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence," said researchers.