CISA warns: "hackers exploit known vulnerability in Netwrix Auditor software"

The US government's Cybersecurity Agency, CISA, has issued an alert regarding a known exploit that is causing an increase in cyber breaches in the United States and Canada. The alert concerns the vulnerability of the Netwrix Auditor software, which cybercriminals are exploiting to infiltrate organizations. According to a joint advisory released by CISA in cooperation with the FBI and Canadian partners, the exploit is being used to spread the malicious Truebot malware.

The discovery of the vulnerability and the corrective measures

The offending bug, identified as CVE-2022-31199, was identified by Bishop Fox experts exactly one year ago. At the time, experts warned that the exploit could allow hackers to arbitrarily execute code on machines running Netwrix Auditor. Due to the fact that this service typically runs with extended privileges within an Active Directory environment, the attacker could presumably have compromised the entire Active Directory domain. Netwrix, which boasts more than 11,500 customers worldwide, has since released version 10.5 of its Auditor, fixing known vulnerabilities.

Truebot malware exploits the loopholes

One year after the vulnerability was discovered, CISA and its law enforcement partners report that bad actors are exploiting this Netwrix Auditor vulnerability to distribute new variants of Truebot malware. The attacks aim to harvest and exfiltrate information from US and Canadian organizations. Confirmation of the use of malware comes from both open-source reports and analysis of Truebot variants. The phishing campaigns through which the malware is delivered are based on malicious hypertext links that redirect the victims.

Information security recommendations and preventive measures

The agencies have shared a detailed technical document that includes IOCs (indicators of compromise) and other useful data. This document should help defenders identify possible signs of compromise and encourage system administrators to maintain good security hygiene. In addition to applying all available patches, CISA recommends that organizations reduce the threat of malicious actors leveraging remote access tools. Suggested measures include implementing application controls to manage and control the execution of the software, restricting use of RDP (Remote Desktop Protocol) and other remote desktop services, and enforcing stringent best practices for network audit for systems using RDP. The use of phishing-resistant multi-factor authentication (MFA) technologies is also recommended. Therefore, organizations should implement preventive measures to ensure the safety of their data, especially in an era where cyber threats are constantly increasing.