On the 6th of July 2023, a joint advisory was published by CISA, the FBI, and CCCS (Canadian Center for Cyber Security) warning of a malware campaign actively exploiting a Remote Code Execution (RCE) vulnerability in Netwrix Auditor (CVE-2022-31199) for initial access. According to a July 2022 advisory by Bishop Fox, the security research firm that discovered the CVE-2022-31199 vulnerability, successful exploitation may lead to the compromise of Active Directory due to the fact that the software runs under a highly privileged account.
According to CISA, the Truebot malware has been known to be used by Russian-affiliated CL0P/TA505 ransomware-as-a-service operator, as well as the Silence cybercriminal group and FIN11. Once exploitation is achieved with CVE-2022-3199, the campaign utilizes Truebot as a command-and-control (C&C) mechanism, then deploys FlawedGrace as a means of escalating privileges and establishing persistence. Truebot and the associated threats described in this campaign have been observed targeting organizations in the US and Canada.
In response to the joint advisory in relation to this malware campaign, Netwrix issued a press release recommending that all customers upgrade to Netwrix Auditor 10.5.10977.0 and to ensure that Netwrix Auditor systems are not exposed to the internet as a security best practice. This is the same guidance that was recommended by the vendor when CVE-2023-31199 was first disclosed in July 2022.
Due to the significant risk posed by this vulnerability, Arctic Wolf strongly recommends that all Netwrix Auditor installations are upgraded to version 10.5.10977.0 as soon as possible.
Recommendations for CVE-2022-31199
Recommendation #1: Upgrade to the latest version of Netwrix Auditor
Arctic Wolf strongly recommends applying the latest security patch to prevent potential exploitation of this vulnerability. Netwrix has provided a security advisory with more details (log in required).
Please follow your organization’s patching and testing guidelines to avoid operational impact.
| Product | Vulnerable Version | Patched version |
| Netwrix Auditor | All supported versions prior to 10.5 | 10.5.10977.0 |
Recommendation #2: Do not expose systems running Netwrix Auditor to the internet
As a security best practice, Netwrix officially recommends that systems running Netwrix Auditor should not be exposed to the internet.
Please evaluate the operational impact of this configuration in your environment.
References
- Netwrix Statement on CISA advisory
- Netwrix Auditor Advisory (log in required):
- Bishop Fox Advisory
