Developments in WhatsUp Gold Security Concerns Hours Following PoC Release for Crucial Vulnerability
Cybercriminals are possibly using publicly accessible proof-of-concept (PoC) exploits for freshly revealed security weaknesses in Progress Software WhatsUp Gold to carry out opportunistic assaults.
The commencement of these activities was noted on August 30, 2024, merely five hours following the unveiling of a PoC on this webpage for CVE-2024-6670 (CVSS score: 9.8) by security expert Sina Kheirkhah of the Summoning Team, who is acknowledged for identifying and reporting CVE-2024-6671 (CVSS scores: 9.8).
Both of these critical flaws, enabling an unauthorized malicious actor to obtain a user’s encrypted passcode, were fixed by Progress in the middle of August 2024.
“Based on the timeline of events, it appears that certain entities were incapable of promptly applying the patches, resulting in incidents shortly after the PoC was made available,” Trend Micro analysts Hitomi Kimura and Maria Emreen Viray expressed in an analysis on Thursday.
The cyber attacks noted by the cybersecurity company involve circumventing WhatsUp Gold authentication to utilize the Active Monitor PowerShell Script for downloading various remote access tools to establish persistence on the Windows system.
This toolset includes Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, with both Atera Agent and Splashtop Remote being installed through a single MSI installer file retrieved from a remote server.
“NmPoller.exe, the executable of WhatsUp Gold, seems to be capable of hosting the Active Monitor PowerShell Script as a legitimate operation,” the analysts elaborated. “In this scenario, threat actors opted to utilize it for executing remote arbitrary code.”
While no additional exploitation activities have been identified, the deployment of various remote access applications indicates the potential involvement of a ransomware perpetrator.
This marks the second occurrence where security vulnerabilities in WhatsUp Gold have been actively weaponized in the wild. In an earlier incident last month, the Shadowserver Foundation reported exploitation endeavors against CVE-2024-4885 (CVSS score: 9.8), another critical flaw that was addressed by Progress in June 2024.
This disclosure follows soon after Trend Micro’s revelation that threat actors are exploiting a now-resolved security vulnerability in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527, CVSS score: 10.0) to distribute the Godzilla web shell.
“The CVE-2023-22527 vulnerability remains a high-profile target for various threat actors who misuse it for malevolent purposes, posing a substantial security risk to corporations globally,” the company officially announced.
About Author
