Data Security, Threat Intelligence
Novel backdoor leveraged in Turla attacks
Share
Attacks with the novel TinyTurla-NG backdoor have been deployed by Russian state-backed threat operation Turla, also known as Secret Blizzard, Pensive Ursa, Iron Hunter, and Venomous Bear, against several non-governmental organizations across Poland between December and late January, according to The Hacker News.
Aside from leveraging hacked WordPress sites to facilitate command retrieval and execution through Command Prompt or PowerShell, TinyTurla-NG also enables the distribution of TurlaPower-NG PowerShell scripts, a report from Cisco Talos revealed. TinyTurla-NG uses such scripts to exfiltrate the security keys of a password management software's password databases and proceed with credential theft activities, noted researchers, who added that the attack vector used by Turla remains a mystery.
"This campaign is highly compartmentalized, a few compromised websites acting as C2s contact a few samples, meaning that it's not easy to pivot from one sample/C2 to others using the same infrastructure that would give us confidence they are related," said researchers.
Related Events
Related Terms
Account HarvestingBackdoorBitChecksumCipherCorruptionCovert ChannelsData Encryption Standard (DES)Information WarfareReconnaissanceGet daily email updates
SC Media's daily must-read of the most current and pressing daily news