Multiple threat actor groups have been detected using new variants of the Truebot malware to target organizations in the United States and Canada. This information was announced in a joint advisory released on Thursday by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Canadian Centre for Cyber Security, and the Multi-State Information Sharing and Analysis Center.
The advisory focuses on Truebot, a botnet malware that was initially identified back in 2017. Previous versions of Truebot were delivered to victims through malicious attachments in phishing emails. However, the latest variants can now exploit a remote code execution flaw, known as CVE-2022-31199, in the Netwrix Auditor application to gain access to victim networks.
Although improved versions of Truebot have been previously discussed, CISA’s advisory highlights a recent increase in attacks by multiple adversaries. The advisory explains that the organizations involved have observed cyber threat actors employing phishing campaigns with malicious redirect hyperlinks, as well as exploiting the CVE-2022-31199 vulnerability to deliver these new Truebot malware variants.
The advisory also provides a list of additional malware and tools used alongside Truebot. This includes Raspberry Robin, a wormable malware, and Flawed Grace, a remote access tool. Moreover, the penetration testing tool Cobalt Strike and the data exfiltration tool Teleport are also mentioned. Interested parties can find a comprehensive technical breakdown, including indicators of compromise, in the advisory.
While the advisory does not specify any ongoing campaigns or threat actors currently utilizing Truebot, it does mention that it has been used by the malicious cyber group known as the CL0P Ransomware Gang. This particular group, referred to as Clop, has been responsible for a significant number of attacks targeting customers of Progress Software’s managed file transfer (MFT) product, MoveIT Transfer. A threat actor associated with Clop, identified as “Lace Tempest” by Microsoft, exploited a zero-day vulnerability in MoveIT Transfer to gain access to customers’ MFT instances, exfiltrate sensitive data, and demand ransom payments. The attacks affected more than 200 victims, including private organizations in the United Kingdom, as well as state and federal government agencies in the United States.
In response to these developments, TechTarget Editorial reached out to CISA to inquire about the potential utilization of Truebot in Clop’s campaign against MoveIT customers. However, the agency did not provide a response at the time of press.
The advisory concludes by recommending that organizations scan their systems for any signs of malicious activity using the guidance provided. Additionally, organizations are advised to apply relevant patches provided by the vendor to address the vulnerability in Netwrix Auditor. Furthermore, any organization that identifies indicators of compromise (IOCs) within their environment should promptly implement the incident response and mitigation measures outlined in the advisory, and report the intrusion to CISA or the FBI.
In light of these recent developments, it is crucial for organizations to remain vigilant and prioritize the implementation of necessary security measures to protect against this evolving threat landscape.