Security News > 2023 > July > CISA: Netwrix Auditor RCE bug exploited in Truebot malware attacks
CISA and the FBI warned today of new Truebot malware variants deployed on networks compromised using a critical remote code execution vulnerability in the Netwrix Auditor software in attacks targeting organizations across the United States and Canada.
The bug impacts the Netwrix Auditor server and the agents installed on monitored network systems and enables unauthorized attackers to execute malicious code with the SYSTEM user's privileges.
TrueBot is a malware downloader linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers to deploy Clop ransomware on compromised networks since December 2022.
"Previous Truebot malware variants were primarily delivered by cyber threat actors via malicious phishing email attachments; however, newer versions allow cyber threat actors to also gain initial access through exploiting CVE-2022-31199," the two federal agencies said in a joint report with MS-ISAC and the Canadian Centre for Cyber Security.
Based on the nature of Truebot operations observed so far, the primary goal of threat actors behind Truebot is to steal sensitive information from compromised systems for financial gain.
If they detect any indicators of compromise within their organization's network, they should immediately implement mitigation and incident response measures outlined in the advisory and report the incident to CISA or the FBI. If your organization uses Netwrix's IT system auditing software, you should apply patches to address the CVE-2022-31199 vulnerability and update Netwrix Auditor to version 10.5.
News URL
Related news
- CISA Warns of CentreStack's Hard-Coded MachineKey Vulnerability Enabling RCE Attacks (source)
- CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks (source)
- CISA flags Craft CMS code injection flaw as exploited in attacks (source)
- Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations (source)
- PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors (source)
- CISA tags critical Ivanti EPM flaws as actively exploited in attacks (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- CISA tags NAKIVO backup flaw as actively exploited in attacks (source)
- Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-08 | CVE-2022-31199 | Deserialization of Untrusted Data vulnerability in Netwrix Auditor 9.7/9.8 Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. | 9.8 |