The US government’s cybersecurity agency CISA on Thursday warned that hackers linked to the Truebot malware operation are exploiting a known vulnerability in the Netwrix Auditor application to break into organizations in the US and Canada.
In a joint advisory issued alongside the FBI and information sharing partners in Canada, CISA urged network admins to immediately apply patches for remote code execution flaws in IT auditing software sold by Netwrix.
The issue, tagged as CVE-2022-31199, was discovered by researchers at Bishop Fox exactly one year ago with warnings that attackers can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor.
“Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain,” Bishop Fox explained at the time.
Netwrix, which claims to have more than 11,500 customers worldwide, released Netwrix Auditor version 10.5 with fixes for the vulnerabilities.
A year later, CISA and law enforcement partners say malicious hackers are exploiting this Netwrix Auditor flaw to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the US and Canada.
“Based on confirmation from open-source reporting and analytical findings of Truebot variants, threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks,” according to the joint advisory.
The agencies published a detailed technical document with IOCs (indicators of compromise) and other data to help defenders hunt for signs of compromise and to nudge sysadmins into maintaining good security hygiene.
In addition to applying all available patches, CISA also recommends that organization reduce the threat of malicious actors using remote access tools by implementing application controls to manage and control execution of software, including allow-listing remote access programs.
It also called on targeted businesses to strictly limit the use of RDP and other remote desktop services and apply rigorous best-practices to audit the network for systems using RDP; and to apply phishing-resistant multifactor authentication (MFA) technology.
Related: CISA, NSA Share Guidance on Securing CI/CD Environments
Related: CISA Says Critical Zyxel NAS Vulnerability Exploited
Related: CISA Tells US Agencies to Patch Roundcube, VMware Flaws
Related: Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- CrowdStrike to Acquire Application Intelligence Startup Bionic
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
