CISA Releases Joint Advisory on Truebot Malware

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) have issued a joint advisory in response to a surge in cyber threats from Truebot malware variants. These threats are particularly targeted toward organizations in the United States and Canada. 

What is Truebot malware?

Truebot is a type of malicious software often used by cybercriminal groups like the CL0P Ransomware Gang to collect and steal sensitive information from their targets. New versions of this software are now being delivered through a vulnerability in the Netwrix Auditor application (CVE-2022-31199), along with the conventional method of phishing emails. This allows the attackers to distribute the malware more effectively within a compromised system. 

What is Nuspire doing to address the emergence of Truebot malware?

Nuspire has reviewed the indications of compromise within the advisory and threat hunts within client environments. 

How should I protect myself from Truebot malware?

Truebot is becoming a popular tool for ransomware groups, especially CL0P Ransomware. Organizations should review and implement the following recommendations: 

1. Patch Netwrix Auditor: Upgrade Netwrix Auditor to version 10.5 or higher to mitigate the remote code execution vulnerability the threat actors exploit.
2. Enhance Email Security: Strengthen your email security protocols to guard against phishing emails. This can include measures such as spam filters, warning messages for external emails and user education on spotting suspicious emails.
3. Monitor for Indicators of Compromise (IOCs): Keep an eye out for the signs of Truebot malware, as detailed in the advisory. This can include unusual network traffic, unrecognized files or software, and unauthorized access to sensitive information.
4. Respond and Report: If IOCs are detected, immediately follow the incident response measures provided in the advisory. Also, report the intrusion to CISA or the FBI to help them track and combat this threat.
5. Use MITRE ATT&CK for Enterprise Framework: Utilize this framework to map…