Staying ahead of security measures and exploiting new vulnerabilities requires hackers to change their tactics.
By doing so, they manage to bypass better defenses, maximize success rates, and keep on with their illegal activities.
The adaptation of techniques by hackers enables them to continue compromising systems by targeting emerging technologies and adjusting to changes in the digital landscape, which ensures the persistence of their relevance and effectiveness.
Cybersecurity researchers at Cisco Talos recently discovered that TinyTurla evolved their TTPs to stealthily attack enterprise organizations.
Cisco Talo in coordination with CERT.NGO has uncovered new details on the entire kill chain used by the Russian espionage group Turla in an ongoing campaign deploying their TinyTurla-NG (TTNG) implant.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :
AcuRisQ, that helps you to quantify risk accurately:
The analysis reveals Turla compromised multiple systems within a European NGO’s network, establishing persistence, disabling anti-virus protections, and using Chisel for data exfiltration and lateral movement to other accessible hosts after the initial breach.
The updated findings provide insights into the tactics, techniques, and procedures employed by this threat actor to steal sensitive information and propagate through infected enterprises.
Turla, a threat group, employs advanced tactics. It configures anti-virus exclusions before deploying the TinyTurla-NG backdoor.
Post-deployment establishes persistence via malicious service. Turla adds exclusions in anti-virus software like Microsoft Defender at locations hosting implants.
It uses batch files creating “sdm” service masquerading as “System Device Manager” for TinyTurla-NG persistence, mirroring 2021 TinyTurla technique. The dual batch file usage seems unnecessarily convoluted for evasion.
Chisel uses asymmetric encryption in an attacker-controlled system to set up a reverse proxy tunnel.
Attackers leverage this initial chisel connection to pivot laterally via WinRM remote sessions, likely facilitated by proxy chains and evil-winrm.
On newly compromised systems, they repeat the cycle – configuring Microsoft Defender exclusions, dropping malware components, and establishing persistence. This adheres to Turla’s methodical cyber kill chain playbook.
Traffic analysis showed Chisel beaconed its C2 server hourly. Though systems were compromised in October 2023 and Chisel deployed by December 2023, Turla operators primarily exfiltrated data over the Chisel C2 channel much later on January 12, 2024.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
A sophisticated cyber campaign orchestrated by the Chinese Advanced Persistent Threat (APT) group, Silver Fox,…
A new wave of cyberattacks attributed to the Ghostwriter Advanced Persistent Threat (APT) group has…
The LCRYX ransomware, a malicious VBScript-based threat, has re-emerged in February 2025 after its initial…
Recent cybersecurity investigations have uncovered a sophisticated technique employed by threat actors to evade detection…
A financial management app named Finance Simplified has been revealed as a malicious tool for…
A recent discovery by cybersecurity researchers has revealed that the Poseidon malware, a macOS-targeting trojan,…