TrueBot: Cyber Security Agencies Issue A Warning

Uploaded on 2023-08-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Cyber security agencies are warning about the appearance of new variants of the TrueBot malware, which is now focusing on companies in the US and Canada with the aim of stealing private data from infiltrated systems. These attacks exploit a critical vulnerability in the widely used Netwrix Auditor server and its connected agents.

This vulnerability enables unauthorised attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems.

The TrueBot malware is connected to cyber criminal collectives FIN11 and Silence and is deployed to siphon off data and disseminate ransomware.The cyber criminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their privileges, establish persistence on the compromised systems, and conduct additional operations.

"During FlawedGrace's execution phase, the RAT stores encrypted payloads within the registry. The tool can create scheduled tasks and inject payloads into msiexec, which are command processes that enable FlawedGrace to establish a command and control (C2) connection…as well as load dynamic link libraries (DLLs) to accomplish privilege escalation," says the US  Cybersecurity & Infrastructure Security Agency  (CISA) 

The cyber criminals initiate Cobalt Strike beacons within several hours of the first intrusion. These beacons facilitate post-exploitation tasks, including stealing data and installing ransomware or different malware payloads.

While previous versions of the TrueBot malware were typically spread through malicious email attachments, the updated versions leverage the CVE-2022-31199 vulnerability to gain initial access. This strategic shift allows the cyber threat actors to carry out attacks on a broader scale within infiltrated environments. Importantly, the Netwrix Auditor software is employed by more than 13K organisations worldwide, including notable firms such as Airbus, Allianz, the UK NHS, and Virgin.

The CISA advisory does not provide specific information about the victims or the number of organisations affected by the TrueBot attacks, although it does encourage  organisations to implement appropriate security measures.

To safeguard themselves against TrueBot malware and similar threats, organisations should take the following recommendations into account:

  • Install updates:   Organisations using Netwrix Auditor should install the necessary updates to mitigate the CVE-2022-31199 vulnerability and update their software to version 10.5 or above.
  • Enhance security protocols:   Deploy multi-factor authentication (MFA) for all employees and services.
  • Be vigilant for signs of infiltration (IOCs):   Security teams must actively scrutinise their networks for indications of TrueBot contamination. The joint warning provides guidelines to help in discovering and reducing the malware's impact.
  • Report any incidents:   If organisations detect IOCs or suspect a TrueBot infiltration, they must act swiftly in accordance with the incident response actions laid out in the warning and report the incident to CISA or the FBI.

CISA:    NCSC:   NCSC:   Picus Security:    Hacker News:   Malwarertips:    Image: kalhh

You Might Also Read: 

2023’s Most Wanted Malware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« A Cyber Security Plan For Digital Currency
HSBC Using Quantum To Protect Against Cyber Threats »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ProfitBricks

ProfitBricks

ProfitBricks is a secure cloud computing infrastructure-as-a-service (IaaS) solution.

IPCopper

IPCopper

IPCopper specializes in network packet capture appliances for cybersecurity, cybersurveillance and network monitoring, and encrypted data storage.

WetStone Technologies

WetStone Technologies

WetStone develops software solutions that support investigators and analysts engaged in eCrime Investigation, eForensics and incident response activities.

GraVoc

GraVoc

GraVoc is a technology-consulting firm committed to solving business problems for customers through the development, implementation, & support of technology-based solutions.

Digital Management (DMI)

Digital Management (DMI)

DMI is a provider of mobile enterprise, business intelligence and cybersecurity services.

Technology Law Alliance (TLA)

Technology Law Alliance (TLA)

Technology Law Alliance is a specialist IT law firm focussed on the fields of technology, outsourcing and e-commerce.

Quantum Generation

Quantum Generation

Quantum Cyber Security for a new age of communications. We are developing the largest decentralized orbital, and ground quantum mesh network based on blockchain technology.

Infosequre

Infosequre

Infosequre builds up your security awareness culture and turns your employees into the first line of defense against cyber risks.

In Fidem

In Fidem

In Fidem specializes in information security management, with a bold approach that views cybersecurity as a springboard to organizational transformation rather than a barrier to innovation.

Stone Forest IT (SFIT)

Stone Forest IT (SFIT)

Stone Forest IT specialises in providing advisory, implementation and managed services for IT infrastructure, IT security solutions, business applications (ERP and CRM) and business analytical tools.

Binare

Binare

Binare empowers companies all over the world to improve their IIot/IoT /Embedded cybersecurity posture and digital privacy.

Rimstorm

Rimstorm

Rimstorm’s mission is to significantly improve the security of your data using award-winning, state-of-the-art technology combined with cyber managed security services.

Bores Security Consultancy

Bores Security Consultancy

Bores Security Consultancy are an established family-run business delivering expertise in security and technology.

aFFirmFirst

aFFirmFirst

aFFirmFirst is a unique software solution offering a simple yet effective way for businesses to protect and control their online images and logo, as well as allowing one-click website verification.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.

Arculus Cyber Security

Arculus Cyber Security

Arculus Cyber Security enables customers to securely realise the benefits of digital transformation through pragmatic solutions, guidance and services.