In recent cybersecurity developments, the notorious threat group Turla, with alleged ties to the Russian Federal Security Service (FSB), has been identified deploying a fresh backdoor named TinyTurla-NG. This sophisticated malware was utilized in a concerted effort against Polish non-governmental organizations (NGOs) over a span of three months, starting from December 2023.
Described as a diminutive “last resort” entry point, TinyTurla-NG shares striking resemblances with its predecessor, TinyTurla, which has been employed in cyber intrusions targeting entities in the United States, Germany, and Afghanistan since at least 2020. The emergence of TinyTurla was first documented by cybersecurity experts in September 2021.
Turla, known by multiple monikers such as Iron Hunter, Pensive Ursa, and Venomous Bear, has a history of sophisticated cyber operations, often targeting sectors of strategic interest. Notably, the group has recently focused its efforts on the defense sector in Ukraine and Eastern Europe, leveraging innovative tools like the DeliveryCheck backdoor, which is based on the .NET framework. Additionally, Turla has upgraded its long-standing second-stage implant, Kazuar, enhancing its capabilities since its initial deployment in 2017.
The latest campaign featuring TinyTurla-NG commenced on December 18, 2023, and persisted until January 27, 2024, although evidence suggests the activity might have begun as early as November 2023 based on malware compilation dates.
The precise method of distributing the backdoor to targeted environments remains unclear. However, investigations have revealed the exploitation of compromised WordPress-based websites as command-and-control (C2) centers. These compromised sites enable the execution of commands via PowerShell or Command Prompt (cmd.exe), facilitating the download and upload of files as per the attackers’ directives.
Moreover, TinyTurla-NG serves as a conduit for delivering TurlaPower-NG PowerShell scripts. These scripts are specifically engineered to exfiltrate crucial data used to safeguard password databases of widely used password management software, encapsulated within ZIP archives.
A researcher from Cisco Talos, shedding light on the campaign, emphasized its highly targeted nature, primarily focusing on a limited number of organizations, predominantly based in Poland. The researcher noted the compartmentalized nature of the campaign, with only a handful of compromised websites acting as C2s and communicating with specific malware samples. This segmentation complicates efforts to trace connections between different samples and C2 infrastructure, thus hindering comprehensive attribution.
In parallel to these developments, Microsoft and OpenAI have unveiled insights suggesting Russian state actors’ exploration of generative artificial intelligence (AI) tools, including large language models (LLMs) like ChatGPT. These actors are purportedly leveraging AI technologies to delve into satellite communication protocols, radar imaging technologies, and scripting tasks, underscoring the evolving landscape of cyber threats and the adaptation of sophisticated techniques by threat actors.
As cybersecurity threats continue to evolve, the collaboration between industry stakeholders, government agencies, and cybersecurity researchers becomes increasingly crucial in countering malicious activities and safeguarding critical infrastructure and sensitive data from adversarial entities.
Interesting Article : Critical Microsoft Exchange Server Flaw (CVE-2024-21410) Under Active Exploitation
Pingback: Google Magika Unleashed: AI Powered File Identification Tool