Warning of Malware Exploiting unpatched Netwrix Auditor

Multiple cybersecurity agencies have issued warnings regarding new variants of the TrueBot malware, which aims to extract sensitive data from compromised networks.

The malware is exploiting a critical vulnerability (CVE-2022-31199) in the widely used Netwrix Auditor server and its associated agents, granting unauthorized access to compromised systems.

This vulnerability allows unauthorized attackers to execute malicious code with SYSTEM user privileges, granting them unrestricted access to compromised systems.

The attackers exploit the vulnerability to gain access, install TrueBot, and further escalate privileges using the FlawedGrace Remote Access Trojan (RAT). The attackers also deploy Cobalt Strike beacons for post-exploitation tasks. The newer versions of the TrueBot malware leverage the CVE-2022-31199 vulnerability for initial access, enabling larger-scale attacks within compromised environments.

The attack surface of this vulnerability is massive, since Netwrix Auditor software is utilized by over 13,000 organizations globally, including prominent companies such as Airbus, Allianz, the UK NHS, and Virgin.

Organizations are urged to:

1. Apply patches: Organizations using Netwrix Auditor should apply the necessary patches to address the CVE-2022-31199 vulnerability and update their software to version 10.5 or higher.
2. Update security measures: Implement multi-factor authentication (MFA) for all employees and services. -
3. Monitor for indicators of compromise (IOCs): Security teams should proactively monitor their networks for signs of TrueBot infection.
4. Report incidents: If organizations detect IOCs or suspect a TrueBot infection, they should promptly take the incident response actions outlined in the advisory and report the incident to CISA or the FBI.