Increased Truebot activity means threatens United States and Canadian networks is growing.
The cybersecurity landscape is constantly evolving, and the latest joint Cybersecurity Advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) brought attention to the increasing threat posed by Truebot malware variants. Referencing the published advisory on CISA.gov, the following will explore the key points outlined in the advisory, highlighting the nature of the threat, the methods employed by threat actors, and the recommended mitigation strategies.
Understanding Truebot Malware:
Truebot, also known as ‘Silence.Downloader’, is a botnet used by malicious cyber groups to infiltrate and exfiltrate sensitive information from their victims. While previous variants were commonly delivered through phishing emails, recent versions have exploited CVE-2022-31199, an RCE (remote code execution) vulnerability in the Netwrix Auditor application, to gain initial access and move at will throughout the compromised network. This shift in tactics allows threat actors to deploy the malware at scale, within compromised environments, increasing its reach and impact.
** CVE (Common Vulnerabilities and Exposures) is a glossary of vulnerabilities that have been found and analyzed, and are then scored via the Common Vulnerability Scoring System (CVSS) to determine the threat level.
Delivery Methods and Exploitation Techniques:
Truebot has historically relied on phishing emails as the primary delivery method, tricking recipients into clicking malicious hyperlinks or concealing malware as software update notifications. However, the latest variants leverage both phishing campaigns with redirecting hyperlinks and the exploitation of CVE-2022-31199. This dual approach enhances the chances of successful infection and highlights the adaptability of threat actors.
The Role of FlawedGrace and Cobalt Strike:
Once deployed – usually within minutes of Truebot malware execution – Truebot utilizes FlawedGrace, a remote access tool (RAT), to manipulate registry and print spooler programs, escalate privileges, and establish persistence. FlawedGrace also injects Cobalt Strike beacons into memory, enabling lateral movement, persistence, and data exfiltration. The combination of these tools underscores the sophistication and complexity of the Truebot malware operations.
Detection and Incident Response:
Detecting and mitigating a Truebot infection requires a proactive approach. Organizations are advised to review and implement the recommended detection signatures, apply vendor patches to Netwrix Auditor (specifically version 10.5), and remain vigilant for indicators of compromise (IOCs) within their environments. In the event of an infection, immediate quarantine of affected hosts, artifact collection, and re-imaging compromised systems are crucial steps to mitigate the damage. Reporting the incident to CISA, the FBI, or local authorities is also essential to aid in investigation and further analysis.
**While the above is technical, requiring trained security and IT practitioners, understanding the importance of the processes happening simultaneously in the background (from the attacker’s side), as well as the processes and procedures your team and organization should take, are critical to surviving a breach of this magnitude, and remaining operational.
If you’re unsure of what to do in the event of a breach, speak with a Logically expert to learn more about how Logically can help your business.
To mitigate the risk of Truebot infections, organizations should implement a range of security measures. Applying patches to CVE-2022-31199 and keeping software and firmware up to date are essential. Furthermore, the use of phishing-resistant multifactor authentication (MFA) for all staff and services is highly recommended. Restricting the use of remote desktop services, disabling command-line and scripting activities, and implementing enhanced PowerShell logging are additional measures to strengthen defenses against Truebot attacks. Network segmentation, offline backups, and adherence to NIST standards for password policies are also emphasized as effective mitigation strategies.
Validating Security Controls:
In addition to implementing mitigation measures, organizations are encouraged to validate their security controls against the threat behaviors mapped in the MITRE ATT&CK for Enterprise framework. This involves testing existing security technologies and analyzing their performance against known Truebot techniques. Continuous testing and fine tuning of security programs based on real-world scenarios are essential to ensure optimal protection against Truebot and other evolving threats.
The joint Cybersecurity Advisory serves as a reminder of the escalating threat posed by Truebot malware variants in the United States and Canada, as well as other threats and threat actors around the globe. Understanding the tactics and techniques employed by threat actors, as well as implementing the recommended mitigation strategies, are critical for organizations to protect their networks and sensitive data. By staying informed, remaining vigilant, and proactively implementing best-practice security measures, organizations can bolster their defenses and mitigate their risk of falling victim to attack.
CISA Cybersecurity Advisory – July 6, 2023 [https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a]
NIST Computer Security Resource Center – Glossary [https://csrc.nist.gov/glossary/term/common_vulnerabilities_and_exposures]
CVE.org – [https://www.cve.org/]
Splunk> Blog – Deep Dive on Persistence, Privilege Escalation Technique and Detection in Linux Platform [https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html]
MITRE ATT&CK – Cobalt Strike TTPs [https://attack.mitre.org/versions/v13/software/S0154/]