Published July 7, 2023 at 7:30 p.m. ET
Updated July 7, 2023 at 7:33 p.m. ET
Network cables and circuit boards are displayed in Toronto on Wednesday, November 8, 2017. (THE CANADIAN PRESS/Nathan Denette)
The Canadian Center for Cyber Security has issued a joint advisory with the FBI and other US agencies regarding the increase in “Truebot” malware attacks.
According to July 6 alert, hackers are using a vulnerability in security software to gain access to the computer networks of organizations in Canada and the United States to steal sensitive data for financial gain. The company behind the compromised software says more than 7,000 organizations trust what’s called Netwrix Auditor, including customers in the insurance, finance, healthcare and legal industries.
“A security program, to work, requires high levels of access, so if it is compromised… the attackers win,” Anil Somayaji, associate professor of computer science at Carleton University in Ottawa, told CTVNews. That. phone Thursday. “This is the worst kind of vulnerability in highly sensitive software deployed precisely in places where they care about security.”
Netwrix, based in Texas, is urging customers to upgrade the software and ensure that the systems running it are disconnected from the Internet.
“This vulnerability may allow an attacker to execute arbitrary code on a Netwrix Auditor system exposed to the Internet, contrary to deployment best practices,” Netwrix Chief Security Officer Gerrit Lansing said in a statement to CTVNews.ca . “In turn, an attacker will be able to launch enumeration attacks and attempt to elevate their privileges in an infiltrated network. Both activities – privilege enumeration and privilege escalation – are at the heart of any cyberattack. »
THE Netwrix Auditor is marketed as a digital tool that organizations can use to “detect security threats, demonstrate compliance, and increase IT team efficiency.”
“Minimize IT risks and proactively detect threats,” announces the Netwrix Auditor website. “Reduce risk to your critical assets by identifying your key data and infrastructure security vulnerabilities and exposing loose permissions.”
Somayaji says the very nature of the software and the attack, known as remote code execution, could give hackers access to entire computer systems and the kind of sensitive data that Netrix Auditor is designed for. protect.
“Once infected, they control these systems and can then…encrypt all your data so that it can only be decrypted by the attacker,” said Somayaji, whose research includes computer security and detection. intrusions. “It’s the principle of ransomware: I encrypted your data, if you want to recover it, you must pay me the key, otherwise you will never be able to recover it.”
The Canadian Center for Cyber Security is part of the Communications Security Establishment (CSE), Canada’s cybersecurity and digital intelligence agency. It issued a joint alert on the new cyber threat alongside the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) in the United States .
“Every time you see these things pop up, it’s like the tip of an iceberg,” Somayaji said. “The fact that the Canadian Center for Cyber Security, CISA, FBI are all putting out this press release makes me think some big players are using this stuff.”
First of all identified in 2017private security researchers claim to have traced Truebot malware to hackers in the allegedly Russian-speaking Silence Group, which allegedly targeted financial institutions in former Soviet countries and other countries around the world. A CSE spokesperson said it was “unable to validate these findings”.
“Previous versions of the Truebot malware relied on malicious phishing emails to infiltrate systems by tricking recipients into clicking on a hyperlink to execute the malware,” the CSE spokesperson explained. “More recently, cyber threat actors added a new tactic and leveraged a remote code execution vulnerability – known as CVE-2022-31199 – in Netwrix Auditor software to launch the malware, eliminating the need for human error necessary for a phishing attack to be successful.”
CSE in Canada urges affected IT operators to read its technical alert And cybersecurity notice for more information and solutions.
Somayaji says Netwrix is not the first security software company to face a breach like this.
“If you look at the past, many security products have been found to have major vulnerabilities,” Somayaji said. “It could be part simple people trying to make money, part intelligence organizations, or part random individuals with vested interests.”