Sep 13, 2024
Ravie Lakshmanan
Software Security / Threat Intelligence
Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks.
The activity began on August 30, 2024, just five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team.
Both critical vulnerabilities, allowing an attacker to retrieve a user’s encrypted password, were patched by Progress in mid-August 2024.
Trend Micro researchers discovered that some organizations were unable to apply patches quickly, leading to incidents following the PoC’s publication.
The attacks involve bypassing WhatsUp Gold authentication to exploit the Active Monitor PowerShell Script and download remote access tools for persistence on Windows.
Tools like Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote were used, with Atera Agent and Splashtop Remote installed via a single MSI installer file.
The threat actors exploited the NmPoller.exe process to execute remote arbitrary code on Windows hosts, indicating potential ransomware involvement.
This is the second time WhatsUp Gold vulnerabilities have been weaponized. Previous exploits targeted CVE-2024-4885.
Recently, Trend Micro warned of exploits targeting a patched security flaw in Atlassian Confluence, highlighting the ongoing security challenges faced by organizations.
Follow us on Twitter and LinkedIn to stay informed on exclusive content.