Alert - Increased Truebot activity infects U.S. and Canada based networks - Joint Cybersecurity Advisory

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On July 6, 2023, the Canadian Centre for Cyber Security (CCCS) joined cyber security partners from the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to publish a joint Cybersecurity Advisory (CSA) in response to cyber threat actors leveraging newly identified Truebot malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. variants against organizations in Canada and the United States.^{Footnote 1}

Truebot is a botnet used by malicious cyber groups to collect and exfiltrate sensitive data from its target victims for financial gain. Previously used phishing PhishingAn attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. campaigns have been successful but as recent as May 31, 2023, CVE-2022-31199 has been exploited for initial access; CVE-2022-31199 is a remote code execution vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in the Netwrix Auditor application that can be used to deliver malware at scale within the compromised network. Open-source reporting and analytical findings show that cyber threat actors are using both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 exploitation to deliver new Truebot malware variants.

This joint advisory is being published to provide awareness on the Truebot malware variants. The Cybersecurity Advisory (CSA) contains technical details of the malware, indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. (IoCs), tactics, techniques, and procedures (TTPs) used by the threat actors, detection methods and mitigations. Additional guidance is available in the Cyber Centre’s Ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. playbook (ITSM.00.099) ^{Footnote 2} and in the Cyber Centre’s Top 10 IT security actions to protect Internet connected networks and information (ITSM.00.089) ^{Footnote 3}. These publications are based on analysis of cyber threat trends to help minimize intrusions or the impacts of a successful cyber intrusion.

The authoring organizations encourage hunting for malicious activity using guidance found in the referenced CSA to reduce the likelihood and impact of future incidents.

Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.