TrueBot: Cyber Security Agencies Issue A Warning

Uploaded on 2023-08-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Cyber security agencies are warning about the appearance of new variants of the TrueBot malware, which is now focusing on companies in the US and Canada with the aim of stealing private data from infiltrated systems. These attacks exploit a critical vulnerability in the widely used Netwrix Auditor server and its connected agents.

This vulnerability enables unauthorised attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems.

The TrueBot malware is connected to cyber criminal collectives FIN11 and Silence and is deployed to siphon off data and disseminate ransomware.The cyber criminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their privileges, establish persistence on the compromised systems, and conduct additional operations.

"During FlawedGrace's execution phase, the RAT stores encrypted payloads within the registry. The tool can create scheduled tasks and inject payloads into msiexec, which are command processes that enable FlawedGrace to establish a command and control (C2) connection…as well as load dynamic link libraries (DLLs) to accomplish privilege escalation," says the US  Cybersecurity & Infrastructure Security Agency  (CISA) 

The cyber criminals initiate Cobalt Strike beacons within several hours of the first intrusion. These beacons facilitate post-exploitation tasks, including stealing data and installing ransomware or different malware payloads.

While previous versions of the TrueBot malware were typically spread through malicious email attachments, the updated versions leverage the CVE-2022-31199 vulnerability to gain initial access. This strategic shift allows the cyber threat actors to carry out attacks on a broader scale within infiltrated environments. Importantly, the Netwrix Auditor software is employed by more than 13K organisations worldwide, including notable firms such as Airbus, Allianz, the UK NHS, and Virgin.

The CISA advisory does not provide specific information about the victims or the number of organisations affected by the TrueBot attacks, although it does encourage  organisations to implement appropriate security measures.

To safeguard themselves against TrueBot malware and similar threats, organisations should take the following recommendations into account:

  • Install updates:   Organisations using Netwrix Auditor should install the necessary updates to mitigate the CVE-2022-31199 vulnerability and update their software to version 10.5 or above.
  • Enhance security protocols:   Deploy multi-factor authentication (MFA) for all employees and services.
  • Be vigilant for signs of infiltration (IOCs):   Security teams must actively scrutinise their networks for indications of TrueBot contamination. The joint warning provides guidelines to help in discovering and reducing the malware's impact.
  • Report any incidents:   If organisations detect IOCs or suspect a TrueBot infiltration, they must act swiftly in accordance with the incident response actions laid out in the warning and report the incident to CISA or the FBI.

CISA:    NCSC:   NCSC:   Picus Security:    Hacker News:   Malwarertips:    Image: kalhh

You Might Also Read: 

2023’s Most Wanted Malware:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« A Cyber Security Plan For Digital Currency
HSBC Using Quantum To Protect Against Cyber Threats »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Cyren

Cyren

Cyren is a cloud-based, Internet security technology company providing threat detection and security analytics.

Information Security Systems (ISSCOM)

Information Security Systems (ISSCOM)

ISSCOM provide services to help companies implement Information Security Management Systems (ISMS) by providing consultancy and hands-on assistance.

Telefonica Tech

Telefonica Tech

Telefónica Cyber Security Tech is focused on the prevention, detection and appropriate response to security incidents aimed at protecting your digital services.

Zymr

Zymr

Zymr specialize in cloud computing solutions including Cloud Security, Cloud Mobility, Cloud Apps, Cloud Infrastructure and Cloud Orchestration.

Basis Technology

Basis Technology

Basis Technology provides software solutions for text analytics, information retrieval, digital forensics, and identity resolution.

ICTSecurity Portal - Austria

ICTSecurity Portal - Austria

The ICTSecurity Portal is an interministerial initiative in cooperation with the Austrian economy and acts as a central internet portal for topics related to security in the digital world.

Axence

Axence

Axence provides professional solutions for the comprehensive management of IT infrastructure for companies and institutions all over the world.

PureCyber

PureCyber

PureCyber (formerly Wolfberry Cyber) is an award-winning cyber security consultancy whose goal it is to make cyber security accessible, understandable, and affordable for any organisation.

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange (CPX)

Cybersecure Policy Exchange is a new initiative dedicated to advancing effective and innovative public policy in cybersecurity and digital privacy.

blueAllianceIT

blueAllianceIT

blueAlliance IT is an investment and growth platform that unites local MSP and IT companies around the nation, helping them to grow and operate competitively.

Netgo

Netgo

Netgo group meet the requirements of a complex, digitized world with IT consulting, IT solutions & services, managed & cloud services and software products & development.

Halcyon

Halcyon

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks.

Port443

Port443

Port443 specialises in providing Security Orchestration, Automation and Remediation (SOAR) "as a service".

NMi Group

NMi Group

NMi Group is a global pioneer in mission-critical Testing, Inspection, Certification, and Calibration (TICC) services.

CyberSG TIG Centre

CyberSG TIG Centre

CyberSG TIG Centre aims to propel Singapore as the world’s premier cybersecurity innovation hub for economic growth.

DeepStrike

DeepStrike

DeepStrike is a leading cybersecurity firm specializing in human-powered, high-quality penetration testing designed to protect businesses from evolving cyber threats.