"Truebot Hackers Exploiting Netwrix Auditor Flaw: CISA, FBI Alert"

The U.S. government’s cybersecurity agency CISA recently warned that hackers linked to the Truebot malware operation are exploiting a known vulnerability in the Netwrix Auditor application to break into organizations in the U.S. and Canada.  In a joint advisory issued alongside the FBI and information sharing partners in Canada, CISA urged network admins to immediately apply patches for remote code execution flaws in IT auditing software sold by Netwrix.  The vulnerability being exploited is CVE-2022-31199 and was discovered by researchers at Bishop Fox exactly one year ago with warnings that attackers can use this issue to achieve arbitrary code execution on servers running Netwrix Auditor.  Security researchers at Bishop Fox stated that since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain.  CISA and law enforcement partners say malicious hackers are exploiting this Netwrix Auditor flaw to deliver new Truebot malware variants and to collect and exfiltrate information against organizations in the U.S. and Canada.  The joint advisory noted that based on confirmation from open-source reporting and analytical findings of Truebot variants, threat actors leveraged the malware through phishing campaigns containing malicious redirect hyperlinks.  In addition to applying all available patches, CISA also recommends that organizations reduce the threat of malicious actors using remote access tools by implementing application controls to manage and control the execution of software, including allow-listing remote access programs.

SecurityWeek reports: "Truebot Hackers Exploiting Netwrix Auditor Flaw: CISA, FBI Alert"