The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have alerted the public about new variants of the Truebot malware being deployed on compromised networks. The malware is taking advantage of a severe remote code execution (RCE) vulnerability in the Netwrix Auditor software, which is currently being used in attacks against organizations in the U.S. and Canada. The vulnerability, identified as CVE-2022-31199, affects the Netwrix Auditor server and the agents installed on monitored network systems. This vulnerability allows unauthorized attackers to execute malicious code with the SYSTEM user's privileges.
TrueBot is a malware downloader that is associated with the Russian-speaking Silence cybercrime group. The malware has also been used by TA505 hackers, who are linked to the FIN11 group, to deploy Clop ransomware on compromised networks since December 2022. The hackers install the FlawedGrace Remote Access Trojan (RAT) after TrueBot has been installed on the breached networks. This RAT is also associated with the TA505 group and allows the attackers to escalate privileges and establish persistence on the compromised systems. The attackers also deploy Cobalt Strike beacons within hours of the initial breach, which can be used for various post-exploitation tasks, including data theft and further malware payload drops.
CISA and the FBI, in a joint report with MS-ISAC and the Canadian Centre for Cyber Security, stated, "Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199." In May 2023, threat actors used this vulnerability to deliver new Truebot malware variants and to collect and exfiltrate information from organizations in the U.S. and Canada. The main objective of the threat actors behind Truebot is to steal sensitive information from compromised systems for financial gain.
Security teams are urged to search for signs of malicious activity that could indicate a Truebot infection using the guidelines provided in the joint advisory. If any indicators of compromise (IOCs) are detected within their organization's network, immediate mitigation and incident response measures should be implemented as outlined in the advisory. Incidents should be reported to CISA or the FBI. Organizations using Netwrix's IT system auditing software are advised to apply patches to address the CVE-2022-31199 vulnerability and update Netwrix Auditor to version 10.5. Implementing phishing-resistant multifactor authentication (MFA) for all staff and services can also help prevent such attacks. Netwrix's products are used by over 13,000 organizations worldwide, including prominent ones like Airbus, Allianz, the UK's NHS, and Virgin.