Novel backdoor leveraged in Turla attacks

Attacks with the novel TinyTurla-NG backdoor have been deployed by Russian state-backed threat operation Turla, also known as Secret Blizzard, Pensive Ursa, Iron Hunter, and Venomous Bear, against several non-governmental organizations across Poland between December and late January, according to The Hacker News. Aside from leveraging hacked WordPress sites to facilitate command retrieval and execution through Command Prompt or PowerShell, TinyTurla-NG also enables the distribution of TurlaPower-NG PowerShell scripts, a report from Cisco Talos revealed. TinyTurla-NG uses such scripts to exfiltrate the security keys of a password management software's password databases and proceed with credential theft activities, noted researchers, who added that the attack vector used by Turla remains a mystery. "This campaign is highly compartmentalized, a few compromised websites acting as C2s contact a few samples, meaning that it's not easy to pivot from one sample/C2 to others using the same infrastructure that would give us confidence they are related," said researchers.