TrueBot | Breaking Cybersecurity News | The Hacker News

Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability ( CVE-2022-31199 ) in the widely used Netwrix Auditor server and its associated agents. This vulnerability enables unauthorized attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems. The TrueBot malware , linked with cybercriminal collectives Silence and FIN11, is deployed to siphon off data and disseminate ransomware, jeopardising the safety of numerous infiltrated networks. The cybercriminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their p

A surge in TrueBot activity was observed in May 2023, cybersecurity researchers disclosed. "TrueBot is a downloader trojan botnet that uses command and control servers to collect information on compromised systems and uses that compromised system as a launching point for further attacks," VMware's Fae Carlisle  said . Active since at least 2017, TrueBot is linked to a group known as Silence that's believed to share overlaps with the notorious Russian cybercrime actor known as  Evil Corp . Recent  TrueBot infections  have leveraged a critical flaw in Netwrix Auditor ( CVE-2022-31199 , CVSS score: 9.8) as well as  Raspberry Robin  as delivery vectors. The attack chain documented by VMware, on the other hand, starts off with a drive-by-download of an executable named " update.exe " from Google Chrome, suggesting that users are lured into downloading the malware under the pretext of a software update. Once run, update.exe establishes connections with a k

Over the past two years, a shocking  51% of organizations surveyed in a leading industry report have been compromised by a cyberattack.  Yes, over half.  And this, in a world where enterprises deploy  an average of 53 different security solutions  to safeguard their digital domain.  Alarming? Absolutely. A recent survey of CISOs and CIOs, commissioned by Pentera and conducted by Global Surveyz Research, offers a quantifiable glimpse into this evolving battlefield, revealing a stark contrast between the growing risks and the tightening budget constraints under which cybersecurity professionals operate. With this report, Pentera has once again taken a magnifying glass to the state of pentesting to release its annual report about today's pentesting practices. Engaging with 450 security executives from North America, LATAM, APAC, and EMEA—all in VP or C-level positions at organizations with over 1,000 employees—the report paints a current picture of modern security validation prac

A new analysis of Raspberry Robin's attack infrastructure has  revealed  that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has  increasingly   come under the radar  for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish , Bumblebee ,  TrueBot ,  IcedID , and  LockBit  ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware. Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2). Cybersecurity firm SEKOIA said it was able to identify at least eight virtual private servers (VPSs) hos