fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Russian State Hackers Use New TinyTurla Malware As Secondary Backdoor

Russian State Hackers Use New TinyTurla Malware As Secondary Backdoor

Russian state-sponsored hackers known as the Turla APT group have been using new malware over the past year that acted as a secondary persistence method on compromised systems in the U.S., Germany, and Afghanistan.

Named TinyTurla due to its limited functionality and uncomplicated coding style, the backdoor could also be used as a stealthy second-stage malware dropper.

Simple and efficient

Security researchers at Cisco Talos say that TinyTurla is a “previously undiscovered” backdoor from the Turla APT group that has been used since at least 2020, slipping past malware detection systems particularly because of its simplicity.

“This malware specifically caught our eye when it targeted Afghanistan prior to the Taliban’s recent takeover of the government there and the pullout of Western-backed military forces” – Cisco Talos

Forensic evidence indicates that Turla APT (advanced persistent threat) actors have been targeting the previous Afghan government with the newly discovered backdoor.https://www.ad-sandbox.com/static/html/sandbox.html

However, Cisco Talos’ telemetry data, which is how the researcher discovered the new malware, shows that TinyTurla has also been deployed on systems in the U.S. and Germany.

Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches

Linking the TinyTurla backdoor to the Russian state hackers was possible because the threat actor used the same infrastructure seen in other attacks attributed to the Turla APT group.

“One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla infrastructure” – Cisco Talos

In research published today, the researchers say that the hackers used the malware “as a second-chance backdoor to maintain access to the system” if the primary access tool got removed.

Compared to a full-fledged backdoor, TinyTurla’s functionality is limited to essential tasks that include downloading, uploading, and executing files.

Looking at the codes received from the command and control (C2) server, the researchers collected the following commands:

  • 0x00: ‘Authentication’
  • 0x01: ‘Execute process’
  • 0x02: ‘Execute with output collection’
  • 0x03: ‘Download file’
  • 0x04: ‘Upload file’
  • 0x05: ‘Create Subprocess’
  • 0x06: ‘Close Subprocess ‘
  • 0x07: ‘Subprocess pipe in/out’
  • 0x08: ‘Set TimeLong’
  • 0x09: ‘Set TimeShort’
  • 0x0A: ‘Set new ‘Security’ password’
  • 0x0B: ‘Set Host(s)’

Since the malware was found through telemetry collection, it remains unknown how it landed on victim systems. Cisco Talos provides some technical details, though, in a blog post today.

The threat actor used a .BAT file to install the backdoor. It comes disguised as a DLL file (w64time.dll) to impersonate w32time.dll, a legitimate Windows Time Service.

TinyTurla disguised as Windows Time Service
source: Cisco Talos

Camouflaging as a service is what made TinyTurla evade detection because the large number of legitimate services active in the background makes it difficult for admins to check if a malicious one hides among them.

The analysis of the malware showed that it is contacting the C2 server every five seconds, which creates an anomaly in the network traffic that administrators should investigate.

Despite this tell, though, Turla was able to use this backdoor for almost two years, the researchers say.

Turla history goes way back

TinyTurla’s simplicity contrasts Turla’s typical tactics, which include covert exfiltration methods using hijacked satellite connectionswatering hole attacks, rootkits, and stealthy channel backdoors.

The APT group is referred to by various names (e.g. Waterbug, Venomous Bear, Iron Hunter, Krypton, Snake, Uroburos) in the infosec industry.

It has been targeting victims across a wide range of industries for espionage and data theft since at least 2014.

The early history of the group may go as far back as 1996, though, connected to the Moonlight Maze cyberespionage operation, a massive data breach targeting classified information on systems from NASA, the Pentagon, military contractors, and multiple government agencies in the U.S.

Also Read: PDPA Singapore Guidelines: 16 Key Concepts For Your Business

According to investigators, had the stolen documents been printed, the stack would be three times taller than the Washington Monument.

Almost 20 later, researchers from Kaspersky Lab and King’s College London found a link between Turla and malware used in the Moonlight Maze attack.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us