Connect with us

Hi, what are you looking for?


Application Security

Truebot Hackers Exploiting Netwrix Auditor Flaw: CISA, FBI Alert

Hackers linked to the Truebot malware are exploiting a year-old Netwrix Auditor flaw to break into organizations in the U.S. and Canada.

The US government’s cybersecurity agency CISA on Thursday warned that hackers linked to the Truebot malware operation are exploiting a known vulnerability in the Netwrix Auditor application to break into organizations in the US and Canada.

In a joint advisory issued alongside the FBI and information sharing partners in Canada, CISA urged network admins to immediately apply patches for remote code execution flaws in IT auditing software sold by Netwrix.

The issue, tagged as CVE-2022-31199, was discovered by researchers at Bishop Fox exactly one year ago with warnings that attackers can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor. 

“Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain,” Bishop Fox explained at the time.

Netwrix, which claims to have more than 11,500 customers worldwide, released Netwrix Auditor version 10.5 with fixes for the vulnerabilities.

A year later, CISA and law enforcement partners say malicious hackers are exploiting this Netwrix Auditor flaw to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the US and Canada.

“Based on confirmation from open-source reporting and analytical findings of Truebot variants, threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks,” according to the joint advisory.

Advertisement. Scroll to continue reading.

The agencies published a detailed technical document with IOCs (indicators of compromise) and other data to help defenders hunt for signs of compromise and to nudge sysadmins into maintaining good security hygiene.

In addition to applying all available patches, CISA also recommends that organization reduce  the threat of malicious actors using remote access tools by implementing application controls to manage and control execution of software, including allow-listing remote access programs.

It also called on targeted businesses to strictly limit the use of RDP and other remote desktop services and apply rigorous best-practices to audit the network for systems using RDP; and to apply phishing-resistant multifactor authentication (MFA) technology.

Related: CISA, NSA Share Guidance on Securing CI/CD Environments

Related: CISA Says Critical Zyxel NAS Vulnerability Exploited

Related: CISA Tells US Agencies to Patch Roundcube, VMware Flaws

Related: Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.