A severe remote code execution (RCE) vulnerability in the Netwrix Auditor software was used in attacks against organisations across the United States and Canada, according to a warning issued today by CISA and the FBI. These assaults targeted organisations in the United States and Canada.
Unauthorised attackers can run malicious code with the privileges of the SYSTEM user thanks to a security flaw that affects the Netwrix Auditor server and the agents installed on monitored network systems (tagged as CVE-2022-31199).
Since December 2022, TA505 hackers (connected with the FIN11 organisation) have exploited TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to install Clop ransomware on compromised networks.
After installing TrueBot on compromised networks, the hackers install the FlawedGrace Remote Access Trojan (RAT), which is likewise affiliated with the TA505 group and allows them to escalate privileges and establish persistence on the compromised systems.
Hackers will also deploy Cobalt Strike beacons hours after the initial breach, which might potentially be exploited to perform various post-exploitation tasks such as data theft and delivering other malware payloads such as ransomware.
"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies explained in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.
"As recently as May 2023, cyber threat actors used this common vulnerability and exposure to deliver new Truebot malware variants and to collect and exfiltrate information against organisations in the U.S. and Canada."
Based on the nature of Truebot operations documented thus far, the primary purpose of attackers behind Truebot is to acquire confidential data from compromised systems for monetary gain.
Following the guidelines laid out in joint advisory, security teams are advised to search for evidence of malicious activity pointing to a Truebot infection.
If they find any indicators of compromise (IOCs) within their organization's network, they should immediately implement the mitigation and incident response steps suggested in the advisory and report the incident to CISA or the FBI.
