<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Franklin Gothic Book";
panose-1:2 11 5 3 2 1 2 2 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.paragraph, li.paragraph, div.paragraph
{mso-style-name:paragraph;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.normaltextrun
{mso-style-name:normaltextrun;}
span.eop
{mso-style-name:eop;}
span.spellingerror
{mso-style-name:spellingerror;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">FYSA<o:p></o:p></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:31.5pt;margin-bottom:0in;margin-left:0in;vertical-align:baseline">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif"><o:p> </o:p></span></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:31.5pt;margin-bottom:0in;margin-left:0in;vertical-align:baseline">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">As the nation’s cyber defense agency, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information
Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), “</span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-187a" target="_blank"><span class="normaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">Increased
Truebot Activity Infects U.S. and Canada Based Networks</span></span></a></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">,” to help organizations detect and protect against newly identified
</span></span><span class="spellingerror"><span style="font-family:"Franklin Gothic Book",sans-serif">Truebot</span></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif"> malware variants.</span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span><o:p></o:p></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:31.5pt;margin-bottom:0in;margin-left:0in;vertical-align:baseline">
<o:p> </o:p></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:31.5pt;margin-bottom:0in;margin-left:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">As recently as May 2023, cyber threat actors have been observed using new malware variants of
</span></span><span class="spellingerror"><span style="font-family:"Franklin Gothic Book",sans-serif">Truebot</span></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif"> (also known as Silence Downloader) to collect
and exfiltrate information from its target victims. Newer versions of </span></span><span class="spellingerror"><span style="font-family:"Franklin Gothic Book",sans-serif">Truebot</span></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">
malware allow malicious actors to gain initial access through exploiting a known vulnerability with
</span></span><span class="spellingerror"><span style="font-family:"Franklin Gothic Book",sans-serif">Netwrix</span></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif"> Auditor application (CVE-2022-3119). When exploited,
actors can execute remote code and achieve lateral movement, thus, spreading the malware to collect and exfiltrate information within the compromised environment.</span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:31.5pt;margin-bottom:0in;margin-left:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><o:p> </o:p></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:31.5pt;margin-bottom:0in;margin-left:0in;vertical-align:baseline">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">All organizations are recommended to review the advisory and implement recommended mitigations<span style="color:black"> that can help reduce the impact and risk of compromise
by ransomware or data extortion actors<b>. </b>Some of the recommended mitigations</span> include mandating phishing-resistant multifactor authentication and apply vendor patches—as applicable to
</span></span><span class="spellingerror"><span style="font-family:"Franklin Gothic Book",sans-serif">Netwrix</span></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif"> Auditor.</span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></span></p>
<p class="paragraph" style="mso-margin-top-alt:0in;margin-right:31.5pt;margin-bottom:0in;margin-left:0in;vertical-align:baseline">
<o:p> </o:p></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">Also, organizations are reminded to visit
</span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><a href="https://cisa.gov/stopransomware" target="_blank"><span class="normaltextrun"><span style="font-size:11.0pt;font-family:"Franklin Gothic Book",sans-serif">StopRansomware.gov</span></span></a></span><span class="normaltextrun"><span style="font-family:"Franklin Gothic Book",sans-serif">
which provides a range of free U.S. government resources and services that can help bolster cyber hygiene, cybersecurity posture and reduce risk to ransomware.</span></span><span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> <o:p></o:p></span></span></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:#1F497D">Theresa A. Masse<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity State Coordinator/Advisor, Region 10 (Oregon)
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Cybersecurity and Infrastructure Security Agency<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Department of Homeland Security<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Phone: (503) 930-5671
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;color:#1F497D">Email:</span><span style="font-size:10.0pt;color:#777777">
</span><a href="mailto:theresa.masse@cisa.dhs.gov"><span style="font-size:10.0pt">theresa.masse@cisa.dhs.gov</span></a><u><span style="font-size:10.0pt;color:#0760C1"><o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><img border="0" width="97" height="97" style="width:1.0138in;height:1.0138in" id="Picture_x0020_2" src="cid:image002.png@01D9AFEE.97AC77C0"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline"><o:p> </o:p></p>
<p class="paragraph" style="margin:0in;vertical-align:baseline;user-select: text;-webkit-user-drag: none;-webkit-tap-highlight-color: transparent;overflow-wrap: break-word;white-space:pre-wrap;font-kerning: none">
<span class="eop"><span style="font-family:"Franklin Gothic Book",sans-serif"> </span></span><span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>