Happy Friday everyone!

I really appreciate this post by Cisco Talos Intelligence Group that focuses on the post-compromise activity performed by the APT known as #TinyTurla. What I really appreciate is all the artifacts you can gather from the activity vs the focus on IOCs like file names, hashes, etc. For example, the Windows registry run key was seen being modified with this command "reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v sysman /t REG_MULTI_SZ /d "sdm" /f".

New details on TinyTurla’s post-compromise activity reveal full kill chain
https://blog.talosintelligence.com/tinyturla-full-kill-chain/

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

Cisco Talos provides an update on an ongoing campaign operated by the Russian state-sponsored APT Turla (publicly attributed to Federal Security Service of the Russian Federation (FSB) Center 16). They now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. IOC provided. 🔗 https://blog.talosintelligence.com/tinyturla-full-kill-chain/

#Russia #cyberespionage #Turla #FSB #TinyTurla #threatintel #IOC

In mid-August, the Sophos X-Ops Incident Response team was brought in to address a cyber incident impacting a telecommunications company. Shortly after, when the customer was onboarded to Sophos MDR services, a detection was generated for a service creation for the Cloudflared tunneling service from a suspicious path. The resulting investigation led Sophos MDR Ops analysts and SophosLabs researchers to uncover a backdoor leveraging a loading function similar to that previously seen within the TinyTurla backdoor.

#ThreatIntel #TinyTurla #NotSoTinyTurla #SophosXops