The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint cybersecurity advisory (CSA) regarding new Truebot malware variants that are being used against organizations in the United States and Canada.
Older versions of the Truebot malware variant were delivered via malicious phishing email attachments, the CSA explained.[1]
But as recently as 31 May 2023, the organizations observed newer versions of the malware that allow cyber threat actors to gain initial access by exploiting a remote code execution vulnerability found in the Netwrix Auditor application (CVE-2022-31199). The exploitation of this vulnerability enables threat actors to deploy malware.
“Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants,” the CSA stated.
The authoring entities advised US and Canadian organizations to learn about Truebot malware indicators of compromise (IOCs) and implement security controls to protect against phishing. Cyber threat actors primarily use the Truebot malware variant for the purpose of exfiltrating data for financial gain.
In addition to increasing phishing awareness, the authoring organizations urged potential victims to apply patces to CVE-2022-31199 and update the Netwrix Auditor to version 10.5. “Netwrix recommends using their Auditor application only on internally facing networks,” the CSA continued. “System owners that don't follow this recommendation, and use the application in externally facing instances, are at increased risk to having CVE-2022-31199 exploited on their systems.”
As always, applying reliable security controls will go a long way in reducing cyber risk. For example, organizations may consider implementing application controls to manage the execution of software, auditing user accounts, or disabling file and printer sharing services.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting:    https://www.redskyalliance.org/
 Website:       https://www.redskyalliance.com/
 LinkedIn:      https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://healthitsecurity.com/news/cisa-warns-of-truebot-activity-infecting-us-networks
Comments