The Canadian Centre for Cyber Security, in collaboration with the FBI and other American agencies, has sounded the alarm over a spike in cyberattacks using the “Truebot” malware.
As of a July 6 report, the primary targets of the hackers are corporate networks in Canada and the U.S. They exploit a loophole in security software to access and pilfer sensitive information, aiming for financial benefits. Over 7,000 establishments, spanning the insurance, healthcare, legal, and financial industries, depend on the compromised software, known as Netwrix Auditor.
Anil Somayaji, an academic in computer science at Carleton University in Ottawa, highlighted that a compromised security program, given its elevated access level, implies victory for the attackers. Such security breaches are especially harmful when they occur in systems where the protection of data is paramount.
Netwrix, based in Texas, is actively encouraging its client base to update their software and sever any internet connections to systems that have it installed. Gerrit Lansing, Netwrix’s top security officer, clarified the potential danger by stating that this vulnerability, if exploited, could permit hackers to launch enumeration attacks and try privilege escalations – both foundational steps in any cyberattack.
The software, Netwrix Auditor, is promoted as a tool that bolsters IT security, ensuring compliance and optimizing team productivity. But the very mechanics of the malware, being a remote code execution, could provide attackers full access to entire systems, thus endangering the kind of crucial data that Netwrix Auditor is meant to safeguard.
Emphasizing the gravity of the situation, Somayaji noted that once these systems are compromised, the attackers essentially hold the reins, giving them the power to encrypt all data, thereby holding it for ransom.
Key stakeholders including the Communications Security Establishment (CSE) of Canada, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) of the U.S., have jointly warned of this emergent cyber threat.
First detected in 2017, preliminary investigations by private security researchers hint at the Russian-speaking Silence Group’s involvement in the Truebot malware. This group has allegedly aimed its cyberattacks at financial bodies in ex-Soviet nations and beyond. However, a representative from the CSE stated they could not confirm these claims.
A significant shift in the malware’s mode of infiltration was observed. Earlier versions preyed on gullible users via phishing emails. Presently, the attackers exploit a particular vulnerability in the Netwrix Auditor software, eliminating the need for human error.
To combat this, the CSE is advising IT personnel to familiarize themselves with its technical alert and cybersecurity advisory.
Concluding, Somayaji noted that vulnerabilities in security products aren’t new. Various actors, ranging from individuals with personal vendettas to intelligence organizations, could be the culprits.