The Canadian Centre for Cyber Security issued a joint advisory report with the FBI and other U.S. agencies about the increase in attacks from the "Trobot" malware.

According to the July 6 warning, hackers use a vulnerability in security software to access computer networks in institutions in Canada and the United States to steal sensitive data for financial gain. The company behind the compromised software says that more than 7,000 institutions rely on what is known as "Netwrix Auditor," including clients from the insurance, financial, healthcare, and legal sectors.

Anil Somayaji, Associate Professor of Computer Science at Carleton University in Ottawa, said, "For the security software to work, it requires high levels of access, so if it is compromised, the attackers win. It is the worst type of vulnerability in highly sensitive software that is specifically deployed in those places where security matters."

Netwrix, based in Texas, urges customers to upgrade the software and ensure that the systems running it are disconnected from the internet.

The company's Chief Security Officer, Gerrit Lansing, said, "This vulnerability may allow an attacker to execute arbitrary code on an internet-exposed Netwrix Auditor system, contrary to best deployment practices," confirming that the attacker will be able to perform enumeration attacks and attempt privilege escalation in a compromised network, noting that both activities, enumeration and privilege escalation, are at the core of any cyber attack."

Netwrix Auditor is marketed as a digital tool that organizations can use to detect security threats, prove compliance, and increase IT team efficiency.

The Netwrix Auditor website also declares that it has reduced IT risks and proactively detected threats, as well as reducing risks to your critical assets by identifying your most important data and infrastructure security vulnerabilities and exposing lax permissions.

Somayaji says, "The nature of the software and the attack, known as remote code execution, can give hackers full access to computer systems and the type of sensitive data it was designed to protect."

Somayaji, whose research interests include computer security and intrusion detection, continued, "Once they are infected, they essentially control these systems and can then encrypt all your data so that it can only be decrypted now by the attacker; this is the idea of ransomware—your data is encrypted, if you want to recover it you have to pay me for the key, otherwise you will never be able to recover it."

The Canadian Centre for Cyber Security is part of the Communications Security Establishment, Canada’s cybersecurity and digital intelligence agency, and issued a joint alert about the new cyber threat alongside the FBI, the Cybersecurity and Infrastructure Security Agency, and the Multi-State Information Sharing and Analysis Center in the United States.

Somayaji said, "When you see these things emerge, they are like the tip of the iceberg; the fact that the Canadian Cyber Security Centre and FBI both issue this press release makes me think that some big players are using these things."

Private security researchers, first identified in 2017, said they have tracked the Trobot malware back to hackers in the alleged Russian-speaking Silense Group, which is said to have targeted financial institutions in former Soviet Union countries and others worldwide. A spokesperson for the Canadian Cyber Security Agency said they "are not in a position to verify these findings."

The spokesperson explained, "Previous versions of the Trobot malware relied on malicious emails to infiltrate systems by tricking recipients into clicking a hyperlink to execute the malware. Recently, cyber threat actors have added a new method and are exploiting a remote code execution vulnerability—known as CVE-2022-31199—in the Netwrix Auditor software to deploy the malware, effectively eliminating the need for human error required for a phishing attack to succeed."

The Canadian Cyber Security Agency urges affected IT operators to read the technical alert and cybersecurity advisories for more information and solutions.

Somayaji says Netwrix is not the first security software company to face such a breach; if you look back, many security products have had significant vulnerabilities. Some of these may be just people trying to make money, some may be intelligence organizations, and some may be just random individuals with an axe to grind."