Get in Touch
Indiscriminate, opportunistic attacks.
Unauthorised attackers can run malicious code with the rights of the SYSTEM user thanks to a problem identified as CVE-2022-31199 that affects the Netwrix Auditor server and the agents installed on monitored network systems.
Successful exploitation of CVE-2022-31199 could allow an unauthenticated remote threat actor to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement considerable damage.
Netwrix Auditor software.
Containment, Mitigations & Remediations
You should install patches to fix the CVE-2022-31199 vulnerability and update Netwrix Auditor to version 10.5 if your company uses Netwrix’s IT system auditing software.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available currently.
Netwrix Auditor occupies a significant portion of the IT and technology services industry market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, this software could become a prime target. Due to the fact that Netwrix products have become an integral aspect of business operations, threat actors will continue to exploit vulnerabilities contained within the products in an attempt to extract the sensitive data contained therein.
Since December 2022, TA505 hackers (affiliated with the FIN11 organisation) have been using TrueBot, a malware downloader related to the Russian-speaking Silence cybercrime group, to spread Clop ransomware to infected networks. The FlawedGrace Remote Access Trojan (RAT), which is also connected to the TA505 group, is installed by the attackers on penetrated networks after TrueBot, enabling them to elevate privileges and establish persistence on the compromised systems.
TA0002 – Execution