Polish NGOs have come under the onslaught of the extortionist.
At the end of 2023, Cisco Talos specialists identified a campaign of the UNC4210 grouping aimed at Polish non-governmental organizations. During the attacks, a new ransomware program TinyTurla-NG was used.
A special feature of TinyTurla-NG is the ability to act as a backup backdoor, which is activated when other hacking methods are detected or blocked. The recorded campaign lasted from December 18, 2023 to January 27, 2024, although there are suggestions that the attacks could have started in November 2023.
The virus is spread through compromised WordPress sites that are used as a Command and Control server (C2). TinyTurla-NG can execute commands from a C2 server, upload and download files, and deliver scripts to steal passwords from password management databases.
TinyTurla-NG also acts as a delivery channel for PowerShell scripts, dubbed TurlaPower-NG, which are designed to extract information used to protect the password databases of the popular password manager.
Experts emphasize that the campaign is focused on a small number of organizations, mainly in Poland, which underlines the foresight of hackers in the issue of complicating the analysis of malicious activity.
At the end of 2023, Cisco Talos specialists identified a campaign of the UNC4210 grouping aimed at Polish non-governmental organizations. During the attacks, a new ransomware program TinyTurla-NG was used.
A special feature of TinyTurla-NG is the ability to act as a backup backdoor, which is activated when other hacking methods are detected or blocked. The recorded campaign lasted from December 18, 2023 to January 27, 2024, although there are suggestions that the attacks could have started in November 2023.
The virus is spread through compromised WordPress sites that are used as a Command and Control server (C2). TinyTurla-NG can execute commands from a C2 server, upload and download files, and deliver scripts to steal passwords from password management databases.
TinyTurla-NG also acts as a delivery channel for PowerShell scripts, dubbed TurlaPower-NG, which are designed to extract information used to protect the password databases of the popular password manager.
Experts emphasize that the campaign is focused on a small number of organizations, mainly in Poland, which underlines the foresight of hackers in the issue of complicating the analysis of malicious activity.
