Newly Identified Truebot Malware Variants - 20230707001

Overview

CISA has released a new joint advisory for newer versions of Truebot malware which allows malicious actors to gain initial access by exploiting a known vulnerability within Netwrix Auditor application.

What is the vulnerability?

CVE-2022-31199 - CVSS v3.1 Base Score: 9.8

Remote code execution vulnerabilities existing in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems, potentially allows unauthenticated remote attackers to execute arbitrary code as the NT AUTHORITY\SYSTEM user on the affected systems.

What is vulnerable?

The vulnerability affects the following products:

• Netwrix Auditor application prior to version 10.5

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):

• Netwrix Auditor application - Version 10.5

Additional References

• CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants | CISA

• A list of IOC's and TTP's can be found in the following CISA article: Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA

• AA23-187A Increased Truebot Activity Infects U.S. and Canada Based Networks | PDF | CISA