TrueBot: Cyber Security Agencies Issue A Warning

Uploaded on 2023-08-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Cyber security agencies are warning about the appearance of new variants of the TrueBot malware, which is now focusing on companies in the US and Canada with the aim of stealing private data from infiltrated systems. These attacks exploit a critical vulnerability in the widely used Netwrix Auditor server and its connected agents.

This vulnerability enables unauthorised attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems.

The TrueBot malware is connected to cyber criminal collectives FIN11 and Silence and is deployed to siphon off data and disseminate ransomware.The cyber criminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their privileges, establish persistence on the compromised systems, and conduct additional operations.

"During FlawedGrace's execution phase, the RAT stores encrypted payloads within the registry. The tool can create scheduled tasks and inject payloads into msiexec, which are command processes that enable FlawedGrace to establish a command and control (C2) connection…as well as load dynamic link libraries (DLLs) to accomplish privilege escalation," says the US  Cybersecurity & Infrastructure Security Agency  (CISA) 

The cyber criminals initiate Cobalt Strike beacons within several hours of the first intrusion. These beacons facilitate post-exploitation tasks, including stealing data and installing ransomware or different malware payloads.

While previous versions of the TrueBot malware were typically spread through malicious email attachments, the updated versions leverage the CVE-2022-31199 vulnerability to gain initial access. This strategic shift allows the cyber threat actors to carry out attacks on a broader scale within infiltrated environments. Importantly, the Netwrix Auditor software is employed by more than 13K organisations worldwide, including notable firms such as Airbus, Allianz, the UK NHS, and Virgin.

The CISA advisory does not provide specific information about the victims or the number of organisations affected by the TrueBot attacks, although it does encourage  organisations to implement appropriate security measures.

To safeguard themselves against TrueBot malware and similar threats, organisations should take the following recommendations into account:

  • Install updates:   Organisations using Netwrix Auditor should install the necessary updates to mitigate the CVE-2022-31199 vulnerability and update their software to version 10.5 or above.
  • Enhance security protocols:   Deploy multi-factor authentication (MFA) for all employees and services.
  • Be vigilant for signs of infiltration (IOCs):   Security teams must actively scrutinise their networks for indications of TrueBot contamination. The joint warning provides guidelines to help in discovering and reducing the malware's impact.
  • Report any incidents:   If organisations detect IOCs or suspect a TrueBot infiltration, they must act swiftly in accordance with the incident response actions laid out in the warning and report the incident to CISA or the FBI.

CISA:    NCSC:   NCSC:   Picus Security:    Hacker News:   Malwarertips:    Image: kalhh

You Might Also Read: 

2023’s Most Wanted Malware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« A Cyber Security Plan For Digital Currency
HSBC Using Quantum To Protect Against Cyber Threats »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Solarflare

Solarflare

Solarflare is a leading provider of intelligent networking I/O software and hardware platforms that accelerate, monitor and secure network data.

Positive Technologies

Positive Technologies

Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection.

National Cyber Security Centre (NCSC) - Switzerland

National Cyber Security Centre (NCSC) - Switzerland

The National Cyber Security Centre is Swizerland's competence centre for cybersecurity and the first contact point for businesses, public administrations, and the public for cyber issues.

TorGuard

TorGuard

TorGuard is a Virtual Private Network services provider offering secure encrypted access to the internet.

InPhySec

InPhySec

InPhySec is a leading New Zealand information, physical and cyber security company.

CERT Tonga

CERT Tonga

CERT Tonga is the national Computer Emergency Response Team for Tonga.

eLearnSecurity

eLearnSecurity

eLearnSecurity is an innovator in the IT Security training market providing quality online courses paired with highly practical virtual labs.

Quantum Security

Quantum Security

Quantum's game-changing approach to cybersecurity brings you performance and peace-of-mind, with a raft of additional benefits: it's non-proprietary, comprehensive, scalable, and affordable.

SecureThings

SecureThings

SecureThings focus is to provide guidance and technology to secure connected vehicles in order to build end-to-end security for the automotive industry.

Akito

Akito

Akito was set up to become a point of reference in the ICT market for issues related to Security and in particular Cyber Security.

CWSI

CWSI

CWSI provide a full suite of enterprise mobility, security and productivity solutions to many of Ireland and the UK’s most respected organisations across a wide range of industry and public sectors.

Pionen

Pionen

Pionen are a specialist information security consultancy with excellent people and proven security delivery methodologies at its core.

NormCyber

NormCyber

NormCyber provide award-winning cyber security and data protection as a service for midsize organisations.

NSW IT Support

NSW IT Support

NSW IT Support: Your exclusive hub for comprehensive Business IT services in Sydney. Our skilled team ensures seamless technology solutions nationwide, consistently delivering top-tier IT support.

PureID

PureID

Protect your enterprise with PureAUTH #IAMFirewall, Resilient SSO platform, purpose built to provide Passwordless Authentication & Zero Trust Access, by default.

CheapSSLWEB

CheapSSLWEB

CheapSSLWeb.com is an affordable and trusted SSL/TLS certificate provider from globally recognized CA (Certificate Authority) Comodo, Sectigo, and Certera..