CISA and the FBI warned today of new Truebot malware variants deployed on networks compromised using a critical remote code execution (RCE) vulnerability in the Netwrix Auditor software in attacks targeting organizations across the United States and Canada.
The bug (tracked as CVE-2022-31199) impacts the Netwrix Auditor server and the agents installed on monitored network systems and enables unauthorized attackers to execute malicious code with the SYSTEM user’s privileges.
TrueBot is a malware downloader linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022.
After installing TrueBot on breached networks, the attackers install the FlawedGrace Remote Access Trojan (RAT), also linked to the TA505 group, which allows them to escalate privileges and establish persistence on the hacked systems.
Hours after the initial breach, they will also deploy Cobalt Strike beacons that could later be used for various post-exploitation tasks, including data theft and dropping further malware payloads such as ransomware.
“Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199,” the two federal agencies said in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.
“As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.”
Based on the nature of Truebot operations observed so far, the primary goal of threat actors behind Truebot is to steal sensitive information from compromised systems for financial gain.
Security teams are advised to hunt for signs of malicious activity pointing to a Truebot infection using the guidelines shared in today’s joint advisory.
If they detect any indicators of compromise (IOCs) within their organization’s network, they should immediately implement mitigation and incident response measures outlined in the advisory and report the incident to CISA or the FBI.
If your organization uses Netwrix’s IT system auditing software, you should apply patches to address the CVE-2022-31199 vulnerability and update Netwrix Auditor to version 10.5.
Using phishing-resistant multifactor authentication (MFA) for all staff and services to block access to access critical systems is also a good way to stop such attacks in their tracks.
Netwrix says its products are being used by over 13,000 organizations worldwide, including high-profile ones like Airbus, Allianz, UK’s NHS, and Virgin.