Skip to main content

Canadian cybersecurity agency and FBI issue advisory over rising 'Truebot' cyberattacks

Networking cables and circuit boards are shown in Toronto on Wednesday, November 8, 2017. (THE CANADIAN PRESS/Nathan Denette) Networking cables and circuit boards are shown in Toronto on Wednesday, November 8, 2017. (THE CANADIAN PRESS/Nathan Denette)

The Canadian Centre for Cyber Security has issued a joint advisory with the FBI and other U.S. agencies about increasing attacks from "Truebot" malware.

According to the July 6 alert, hackers are using a vulnerability in security software to access computer networks at organizations in Canada and the U.S. in order to steal sensitive data for financial gain. The company behind the compromised software says more than 7,000 organizations rely on what's known as Netwrix Auditor, including clients from the insurance, financial, healthcare and legal sectors.

"A security program, in order for it to work, requires high levels of access, so if it gets compromised… the attackers won," Anil Somayaji, an associate professor of computer science at Carleton University in Ottawa, told over the phone on Thursday. "It's the worst kind of vulnerability in very sensitive software that's deployed in precisely those places where they care about security."

Texas-based Netwrix is urging customers to upgrade the software and ensure that systems running it are disconnected from the internet.

"This vulnerability may permit an attacker to execute arbitrary code on a Netwrix Auditor system that is exposed to the internet, contrary to deployment best practices," Netwrix chief security officer Gerrit Lansing said in a statement to "In turn, an attacker will be able to run enumeration attacks and conduct privilege escalation attempts in an infiltrated network. Both activities – enumeration and privilege escalation – are at the core of any cyber-attack."

The Netwrix Auditor is marketed as a digital tool that organizations can use to "detect security threats, prove compliance and increase IT team efficiency."

"Minimize IT risks and proactively spot threats," the Netwrix Auditor website advertises. "Reduce the risk to your critical assets by identifying your top data and infrastructure security gaps and exposing loose permissions."

Somayaji says that the very nature of the software and attack, known as a remote code execution, could give hackers access to entire computer systems and the type of sensitive data Netrix Auditor is designed to protect.

"Once they're infected, they basically have control of these systems and then they can… encrypt all your data so that now it can only be decrypted by the attacker," said Somayaji, whose research interests include computer security and intrusion detection. "That's the idea of ransomware: I've encrypted your data, if you want it back, you have to pay me for the key, otherwise you'll never be able to recover it."

The Canadian Centre for Cyber Security is part of the Communications Security Establishment (CSE), which is Canada's cybersecurity and digital intelligence agency. It issued the joint alert about the new cyber threat alongside the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in the U.S.

"Whenever you see these things pop up, it's like the tip of a iceberg," Somayaji said. "The fact that the Canadian Centre for Cyber Security, CISA, FBI, they're all putting out this press release, this makes me think some big players are using this stuff."

First identified in 2017, private security researchers say they have traced Truebot malware to hackers in the purportedly Russian-speaking Silence Group, which has allegedly targeted financial institutions in former Soviet countries and others worldwide. A spokesperson from the CSE said they are "not in a position to validate those findings."

"Previous versions of the Truebot malware relied on malicious phishing emails to infiltrate systems by tricking recipients into clicking a hyperlink to execute the malware," the CSE spokesperson explained. "More recently, cyber threat actors have added a new tactic and are exploiting a remote code execution vulnerability – known as CVE-2022-31199 – within the Netwrix Auditor software to launch the malware, essentially eliminating the need for human error that is required for a phishing attack to be successful."

The CSE in Canada is urging impacted IT operators to read its technical alert and cyber security advisory for more information and solutions.

Somayaji says Netwrix isn’t the first security software company to face a breach like this.

"If you look in the past, many security products have turned out to have major vulnerabilities," Somayaji said. "Some of this could be just people trying to make money, some of it could be intelligence organizations, some of it could be just random individuals who have an axe to grind." Top Stories

Local Spotlight