January 8, 2023

TSD #023: Turla Piggybacking.

This week's edition is brought to you by CultureAI. They help companies monitor and respond to over 35 human cyber risk behaviours. CultureAI can deliver automated nudges when users fail attack sims via email/Slack/MFA. They can also deliver fully automated, intelligent email phishing and stop users from sharing PII on public platforms. Discover today how easily CultureAI can connect with your workplace apps and change risky user behaviour in your organisation. Find out more about CultureAI.

Hello friend 👋

Awesome reporting from Mandiant on the Russian APT group, Turla. They're widely suspected of being connected to the Russian State and rose to fame over a decade ago when they hacked the US Department of Defense. The infection vector back then was via infected USB drives plugged in by DoD employees. Turla's current targeting is focused on Ukraine and they're piggybacking Andromeda malware infections created by another group and have since:

...re-registered at least three expired Andromeda command and control (C2) domains and began profiling victims to selectively deploy Kopiluwak [their recon tool] and QuietCanary [their backdoor] in September 2022.

The name of the domain they registered is in the picture below and is both offensive and laughable amongst all this seriousness.

Normally, we try and track threat actors using MITRE ATT&CK TTPs, but in this case, Turla are just slipping inside some other threat actor's malware. I'm not sure how you'd track that. Another one to add to the long list of reasons why attribution is hard to impossible in cyber warfare. It's definitely worth reading the full Mandiant report. You can do that here.

You can get in touch with me by simply hitting reply. I respond to every email that hits my inbox.

Until next week,

Gary ✌️

Fun Things This Week

🎙My Latest Video

EASY Brute Forcing with Hydra and Burp Suite: One of the first things I wanted to learn when I was a baby hacker, was how hackers get through login panels. Those pesky username and password entry boxes! That's what my latest video is on. Come learn how to use Burp Suite and Hyrda to brute force these pages!

💻 Books

I got my hands on a copy of The Hardware Hacking Handbook. I've read a few early chapters and need to schedule some time to get through this one. I've always been intrigued by hardware but always found it a bit of a pipedream that I'd ever understand it. This book, so far, seems to be a pretty good place to start. Although, I'm afraid I might not be able to put the TV remote I just disassembled back together 😬 ​Get it on Amazon

👾 Cool Tools

ExchangeFinder is a simple and open-source tool that tries to find Microsoft Exchange instances for a given domain based on the top common DNS names for Microsoft Exchange. Lots of companies still haven't migrated to M365 and are running Exchange, this will help you when you're doing engagements with them.

Subparse is a modular framework developed by Josh Strochein, Aaron Baker, and Odin Bernstein. The framework is designed to parse and index malware files and present the information found during the parsing in a searchable web viewer.

If you've written a tool and you'd like me to see it, just drop me an email!

Whenever you’re ready, there are a few ways I can help you:

1. If you'd like to learn how to create content to raise your online profile, I have a free email crash course and a whole series of video workshops.

2. If you want to land a career in cyber security but don't know where to start, your best bet is through my SWITCHFIRE guide.

3. If you'd like to promote yourself or your business and help keep this newsletter free to its readers, you can sponsor it by dropping me an email.

More Articles
Subscribe to The Sunday Download

Receive weekly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.