In a concerning development, hackers associated with the Truebot malware operation have been leveraging a known vulnerability in the Netwrix Auditor application to breach organizations in the United States and Canada. This exploit has caught the attention of the Cybersecurity and Infrastructure Security Agency (CISA), which has issued a warning urging network administrators to immediately apply patches for remote code execution flaws found in IT auditing software sold by Netwrix.
Warning from CISA
CISA has sounded the alarm, emphasizing the urgency for network admins to take action and apply the necessary patches to protect their systems. The remote code execution flaws in Netwrix software pose a serious risk, potentially allowing attackers to gain unauthorized access to sensitive data.
Discovery of the vulnerability
The vulnerability, known as CVE-2022-31199, was initially identified by researchers at Bishop Fox one year ago. Since then, it has remained unpatched, leaving organizations exposed to potential attacks. This discovery highlights the critical nature of promptly addressing and fixing vulnerabilities to prevent exploitation by malicious actors.
Exploitation of the vulnerability
By exploiting CVE-2022-31199, attackers can achieve arbitrary code execution on servers running Netwrix Auditor. This provides them with a gateway to infiltrate organizations and compromise their systems. In this case, the attackers have chosen to utilize the Truebot malware, which allows them to deliver new malware variants and exfiltrate valuable information.
Release of Netwrix Auditor fixes
Recognizing the severity of the situation, Netwrix has acted swiftly and released Netwrix Auditor version 10.5, which includes fixes for the vulnerabilities. Organizations are strongly urged to update their software to the latest version to safeguard their systems against potential attacks.
Malware distribution and data exfiltration
Reports indicate that threat actors have been actively exploiting the Netwrix Auditor flaw to distribute Truebot malware variants and collect data from organizations in the US and Canada. To achieve this, the attackers have used phishing campaigns containing malicious redirect hyperlinks, tricking unsuspecting users into clicking on harmful links that facilitate the introduction of malware into their systems.
In response to this ongoing threat, CISA, in collaboration with law enforcement partners, has published a detailed technical document containing indicators of compromise (IOCs) and other pertinent information. This resource aims to assist defenders in identifying signs of compromise and taking appropriate measures to mitigate the risk.
CISA recommends implementing robust application controls to effectively manage and control the execution of software. This includes employing allow-listing for remote access programs, ensuring that only authorized software can run on the system. Additionally, the adoption of phishing-resistant multifactor authentication technology is encouraged, as it provides an extra layer of protection against unauthorized access attempts.
The exploitation of the Netwrix Auditor vulnerability by hackers involved in the Truebot malware operation serves as a stark reminder of the constant threats faced by organizations in today’s digital landscape. Prompt patching of vulnerabilities, along with a vigilant and proactive approach to cybersecurity, is crucial to defending against emerging threats. By prioritizing security measures and promptly applying patches, organizations can significantly reduce their risk of falling victim to such exploits and protect their valuable data and systems from malicious actors.