Take Truebot seriously.
By Tim Nodar, CyberWire senior staff writer.
Jul 7, 2023

The information-stealer is dangerous, and not to be taken lightly.

Take Truebot seriously.

The US Cybersecurity and Infrastructure Security Agency (CISA) and its partners (the Federal Bureau of Investigation, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security) have issued a joint Cybersecuritiy Advisory outlining a spike in new variants of the Truebot malware. In addition to using phishing campaigns, threat actors are now using a vulnerability in the IT auditing software Netwrix Auditor to deliver the malware:

“Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199—(a remote code execution vulnerability in the Netwrix Auditor application), enabling deployment of the malware at scale within the compromised environment. Based on confirmation from open-source reporting and analytical findings of Truebot variants, the authoring organizations assess cyber threat actors are leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.”

Truebot is used for information theft.

The Joint Advisory makes it clear that Trickbot is an information-stealing kit used by the ransomware gang Cl0p and other threat organizations to gain access to and exfiltrate victims’ sensitive data. The advisory offers extensive advice for risk mitigation, including detailed indicators and preventive measures organizations can apply. CISA also urges organizations to “exercise, test, and validate” their security program against the threat behavior displayed in conjunction with Truebot’s deployment.

Industry experts agree that the risk needs to be addressed promptly.

Jeff Williams, co-founder and CTO at Contrast Security, draws several lessons, the first of which is that security can’t be confined to the perimeter. 

“To me, this isn’t a story about malware. This is a story about exploiting an interesting vulnerability that you can’t stop at the perimeter.

 "Once attackers can run arbitrary code on your servers, the game is over. So the fact that these attackers ran Truebot after they successfully broke in is irrelevant. They could have done anything they wanted.

"The interesting question to me is how did they originally get in?  Understanding the original breach is our only hope of keeping them out. In this case, the attackers exploited an “unsafe deserialization” vulnerability in a .NET web application. The attack works like this. Attackers sent the Netwrix Auditor product a specially crafted HTTP request with a data payload that, during the process of “deserializing” the data back into objects, caused arbitrary object constructors to be invoked. The attackers were able to include the right data to make those constructors start a native operating system process. At this point, they’ve won.

"The reason it’s interesting is that you can’t really defend against unsafe deserialization with perimeter defenses like a web application firewall (WAF). How could a WAF know whether a serialized object, just a bunch of bytes on the wire, is either legitimate or an attack?  More and more, attacks are buried inside complex data and are completely inscrutable by perimeter defenses. Organizations need to add runtime security to their platforms to detect these kinds of attacks. Runtime security hardens the app/API stack and ensures (among other things) that the data being deserialized doesn’t cause arbitrary code execution.” 

 Erich Kron, security awareness advocate at KnowBe4, points out, as the advisory makes clear, that the attackers typically gain initial access through social engineering:

“For those using the Netwrix Auditor software, this is likely to be a pretty significant issue. Patching systems should be a top priority, as should looking for Indicators of Compromise (IOCs). Because agents such as these are likely to be deployed throughout an organization, it gives bad actors a great way to exploit the vulnerability, drop their own malware, then lay low for a while. Even if the agent is updated, once the damage is done, it could be very challenging to detect the ongoing intrusion.  

"While the vulnerability can be exploited from within the system, since most initial network intrusions start with a social engineering attack, such as phishing, organizations should ensure employees are educated and trained to spot and report phishing attempts quickly.”