The Canadian Centre for Cyber Security, in collaboration with the FBI and other U.S. agencies, has jointly released an advisory regarding the growing threat of “Truebot” malware. As outlined in the alert published on July 6, hackers are exploiting a vulnerability in security software to gain unauthorized access to computer networks in Canada and the United States, with the intention of pilfering sensitive data for financial gain. Netwrix Auditor, a widely utilized software employed by over 7,000 organizations, including those in the insurance, financial, healthcare, and legal sectors, has been identified as the affected software.
Anil Somayaji, an associate professor of computer science at Carleton University in Ottawa, explained the gravity of the situation, emphasizing that compromised security software, which typically requires high-level access, can grant attackers the upper hand. He stated, “It’s the worst kind of vulnerability in very sensitive software that’s deployed in precisely those places where they care about security.”
Netwrix, headquartered in Texas, is urging its customers to promptly upgrade their software and disconnect systems running the vulnerable version from the internet. Gerrit Lansing, the Chief Security Officer of Netwrix, expressed concern over the vulnerability, stating that it allows attackers to execute arbitrary code on exposed Netwrix Auditor systems, enabling enumeration attacks and attempts to escalate privileges within infiltrated networks—essential activities for cyber attacks.
Netwrix Auditor, marketed as a digital tool to detect security threats, ensure compliance, and enhance IT team efficiency, may inadvertently provide hackers with access to entire computer systems and the sensitive data it aims to safeguard. Somayaji explained that once infected, hackers can assume control over systems and encrypt data, demanding a ransom for decryption.
The Canadian Centre for Cyber Security, a division of the Communications Security Establishment (CSE), Canada’s cybersecurity and digital intelligence agency, collaborated with the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in the U.S. to issue this joint alert on the new cyber threat.
Although private security researchers have linked Truebot malware to the Silence Group, allegedly a Russian-speaking hacking group targeting financial institutions in former Soviet countries and globally, the CSE spokesperson refrained from validating these findings.
The previous versions of the Trubot malware primarily relied on phishing emails to infiltrate systems through deceptive hyperlinks. However, the latest tactics involve exploiting a remote code execution vulnerability known as CVE-2022-31199 in Netwrix Auditor software, eliminating the need for human error in successful phishing attacks.
The CSE advises impacted IT operators to consult their technical alert and cybersecurity advisory for comprehensive information and solutions.
Somayaji highlighted that Netwrix is not the first security software company to face such breaches, emphasizing that vulnerabilities have been discovered in several security products in the past. The motives behind these attacks can range from profit-seeking to intelligence operations or personal vendettas.