Contents:
A new warning was issued by CISA and the FBI! Organizations across the United States and Canada have been targeted in attacks that use a new variant of the Truebot malware. The malware takes advantage of a remote code execution (RCE) vulnerability in the Netwrix Auditor software to infiltrate networks and compromise machines.
Understanding Truebot
Tracked as CVE-2022-31199, the new variant of Truebot impacts the Netwrix Auditor server and the agents installed on monitored network systems, and enables unauthorized attackers to execute malicious code with the SYSTEM user’s privileges.
Since December 2022, TA505 hackers (affiliated with the FIN11 organisation) have been using TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to spread Clop ransomware on infected networks.
Multiple Malware Used in the Attack
As reported by BleepingComputer, after installing TrueBot on the breached networks, the threat actors install the FlawedGrace Remote Access Trojan (RAT), another malware linked to the TA505 group, which allows them to escalate privileges and establish persistence on the hacked systems.
After the initial breach, the attackers would also deploy Cobalt Strike beacons that could later be used for various post-exploitation tasks such as data theft and dropping further malware payloads such as ransomware.
Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199.
CISA and the FBI (Source)
According to the statements of the two federal agencies, the threat actors used this common vulnerability and exposure as recently as May 2023, to deliver the new Truebot variants and to collect and exfiltrate data.
According to the nature of Truebot operations that have been so far seen, the main objective of the threat actors behind Truebot is to steal confidential data from infected computers in order to make money.
CISA and the FBI published a set of guidelines in their joint advisory, with the purpose of helping security teams detect a Truebot infection. If they detect any indicators of compromise (IOCs) within their organization’s network, they should promptly implement the mitigation and incident response measures outlined in the advisory.
Luckily, there is a patch released to fix the CVE-2022-31199 vulnerability, so to prevent infection we advise you to patch the vulnerability and update Netwrix Auditor to version 10.5. With Heimdal®’s Patch & Asset Management module implemented, you won’t have to worry about unpatched vulnerabilities, as our completely automated solution will take care of them as soon as the patch is released. Book a demo and enjoy the power of automated patch management.
Heimdal® Patch & Asset Management Software
- Schedule updates at your convenience;
- See any software assets in inventory;
- Global deployment and LAN P2P;
- And much more than we can fit in here...
Netwrix’s products are being used by over 13,000 companies worldwide, including high-profile ones such as Airbus, Allianz, NHS, and Virgin.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.