Data Security, Threat Intelligence

Novel backdoor leveraged in Turla attacks

Share

Attacks with the novel TinyTurla-NG backdoor have been deployed by Russian state-backed threat operation Turla, also known as Secret Blizzard, Pensive Ursa, Iron Hunter, and Venomous Bear, against several non-governmental organizations across Poland between December and late January, according to The Hacker News. Aside from leveraging hacked WordPress sites to facilitate command retrieval and execution through Command Prompt or PowerShell, TinyTurla-NG also enables the distribution of TurlaPower-NG PowerShell scripts, a report from Cisco Talos revealed. TinyTurla-NG uses such scripts to exfiltrate the security keys of a password management software's password databases and proceed with credential theft activities, noted researchers, who added that the attack vector used by Turla remains a mystery. "This campaign is highly compartmentalized, a few compromised websites acting as C2s contact a few samples, meaning that it's not easy to pivot from one sample/C2 to others using the same infrastructure that would give us confidence they are related," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.