CISA Warns of Truebot Activity Infecting US Networks

July 10, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint cybersecurity advisory (CSA) regarding new Truebot malware variants that are being used against organizations in the United States and Canada.

Older versions of the Truebot malware variant were delivered via malicious phishing email attachments, the CSA explained.

But as recently as May 31, 2023, the organizations observed newer versions of the malware that allow cyber threat actors to gain initial access by exploiting a remote code execution vulnerability found in the Netwrix Auditor application (CVE-2022-31199). The exploitation of this vulnerability enables threat actors to deploy malware.

“Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants,” the CSA stated.

The authoring entities advised US and Canadian organizations to learn about Truebot malware indicators of compromise (IOCs) and implement security controls to protect against phishing. Cyber threat actors primarily use the Truebot malware variant for the purpose of exfiltrating data for financial gain.

In addition to increasing phishing awareness, the authoring organizations urged potential victims to apply patces to CVE-2022-31199 and update the Netwrix Auditor to version 10.5.

“Netwrix recommends using their Auditor application only on internally facing networks,” the CSA continued. “System owners that don't follow this recommendation, and use the application in externally facing instances, are at increased risk to having CVE-2022-31199 exploited on their systems.”

As always, applying reliable security controls will go a long way in reducing cyber risk. For example, organizations may consider implementing application controls to manage the execution of software, auditing user accounts, or disabling file and printer sharing services.