Hackers have been actively exploiting a critical remote code execution (RCE) vulnerability in Progress WhatsUp Gold, a popular IT infrastructure monitoring tool. The attacks started on August 30, 2024, just hours after a proof-of-concept (PoC) exploit was publicly released. The vulnerabilities, identified as CVE-2024-6671 and CVE-2024-4885, allow unauthenticated attackers to retrieve encrypted passwords via SQL injection in single-user configurations.
Both flaws have been assigned a critical CVSS score of 9.8.
Researchers at Trend Micro discovered that the attackers abused the legitimate Active Monitor PowerShell Script function within the NmPoller.exe process to execute malicious code. This technique allowed them to bypass typical initial access indicators, suggesting direct exploitation of the vulnerabilities. The attackers used the PowerShell payload to install various remote administration tools (RATs) such as Atera Agent, Radmin RAT, SimpleHelp Remote access, and Splashtop Remote using msiexec.exe.
They attempted to download these RATs from sites like hxxps://fedko[.]org/wp-includes/ID3/setup.msi.
Hackers exploiting WhatsUp Gold flaw
Progress released security patches for both vulnerabilities on August 16, 2024.
However, the rapid exploitation following the PoC release on August 30 suggests that some organizations were unable to apply the patches quickly enough. Over 1,200 devices were found to be exposed to CVE-2024-4885. The deployment of multiple RATs by the attackers indicates a potential preparation for a ransomware attack.
To mitigate such risks, organizations are advised to apply patches immediately upon release, especially for severe vulnerabilities. Other recommended measures include restricting access to corporate services, enabling multi-factor authentication (MFA) for network logins, using strong passwords and passkeys, and securing management consoles and APIs. The swift exploitation of the WhatsUp Gold vulnerabilities highlights the importance of timely patch management and robust monitoring to defend against sophisticated RCE attacks.
Organizations using the affected software must remain vigilant and take proactive steps to strengthen their cybersecurity posture.
