The US government’s cybersecurity agency CISA on Thursday warned that hackers linked to the Truebot malware operation are exploiting a known vulnerability in the Netwrix Auditor application to break into organizations in the US and Canada.
In a joint advisory issued alongside the FBI and information sharing partners in Canada, CISA urged network admins to immediately apply patches for remote code execution flaws in IT auditing software sold by Netwrix.
The issue, tagged as CVE-2022-31199, was discovered by researchers at Bishop Fox exactly one year ago with warnings that attackers can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor.
“Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain,” Bishop Fox explained at the time.
Netwrix, which claims to have more than 11,500 customers worldwide, released Netwrix Auditor version 10.5 with fixes for the vulnerabilities.
A year later, CISA and law enforcement partners say malicious hackers are exploiting this Netwrix Auditor flaw to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the US and Canada.
“Based on confirmation from open-source reporting and analytical findings of Truebot variants, threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks,” according to the joint advisory.
The agencies published a detailed technical document with IOCs (indicators of compromise) and other data to help defenders hunt for signs of compromise and to nudge sysadmins into maintaining good security hygiene.
In addition to applying all available patches, CISA also recommends that organization reduce the threat of malicious actors using remote access tools by implementing application controls to manage and control execution of software, including allow-listing remote access programs.
It also called on targeted businesses to strictly limit the use of RDP and other remote desktop services and apply rigorous best-practices to audit the network for systems using RDP; and to apply phishing-resistant multifactor authentication (MFA) technology.