CVE-2022-31199: Truebot Malware Campaign Actively Exploiting Netwrix Auditor RCE Vulnerability

Share :

On the 6th of July 2023, a joint advisory was published by CISA, the FBI, and CCCS (Canadian Center for Cyber Security) warning of a malware campaign actively exploiting a Remote Code Execution (RCE) vulnerability in Netwrix Auditor (CVE-2022-31199) for initial access. According to a July 2022 advisory by Bishop Fox, the security research firm that discovered the CVE-2022-31199 vulnerability, successful exploitation may lead to the compromise of Active Directory due to the fact that the software runs under a highly privileged account.

According to CISA, the Truebot malware has been known to be used by Russian-affiliated CL0P/TA505 ransomware-as-a-service operator, as well as the Silence cybercriminal group and FIN11. Once exploitation is achieved with CVE-2022-3199, the campaign utilizes Truebot as a command-and-control (C&C) mechanism, then deploys FlawedGrace as a means of escalating privileges and establishing persistence. Truebot and the associated threats described in this campaign have been observed targeting organizations in the US and Canada.

In response to the joint advisory in relation to this malware campaign, Netwrix issued a press release recommending that all customers upgrade to Netwrix Auditor 10.5.10977.0 and to ensure that Netwrix Auditor systems are not exposed to the internet as a security best practice. This is the same guidance that was recommended by the vendor when CVE-2023-31199 was first disclosed in July 2022.

Due to the significant risk posed by this vulnerability, Arctic Wolf strongly recommends that all Netwrix Auditor installations are upgraded to version 10.5.10977.0 as soon as possible.

Recommendations for CVE-2022-31199

Recommendation #1: Upgrade to the latest version of Netwrix Auditor

Arctic Wolf strongly recommends applying the latest security patch to prevent potential exploitation of this vulnerability. Netwrix has provided a security advisory with more details (log in required).

Please follow your organization’s patching and testing guidelines to avoid operational impact.

Product Vulnerable Version Patched version
Netwrix Auditor All supported versions prior to 10.5 10.5.10977.0

Recommendation #2: Do not expose systems running Netwrix Auditor to the internet

As a security best practice, Netwrix officially recommends that systems running Netwrix Auditor should not be exposed to the internet.

Please evaluate the operational impact of this configuration in your environment.


Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security and holds a bachelor’s degree in Cybersecurity Engineering.
Share :
Table of Contents
Subscribe to our Monthly Newsletter