Attackers Exploit WhatsUp Gold Vulnerabilities to Execute Malicious Code Across Multiple Industries
Attackers may have exploited critical vulnerabilities (CVE-2024-6670 and CVE-2024-6671) in WhatsUp Gold to execute malicious code and compromise network security hours after proof-of-concept (POC) code was published.
WhatsUp Gold is used by organizations globally to monitor their IT infrastructure. The vulnerabilities allow unauthenticated attackers to access encrypted credentials and may allow attackers to execute malicious PowerShell scripts. This creates an entry point for attackers to install malware, such as remote access tools (RATs), which can lead to full network compromise. The vulnerabilities have a CVSS score of 9.8, signaling their severity and potential impact.
What happened
Trend Micro reported that since August 30, attackers have been targeting outdated versions of WhatsUp Gold, potentially using a POC that takes advantage of these vulnerabilities. The attack chain begins by exploiting one (or both) of the SQL injection vulnerabilities in versions prior to 2024.0.0. Through these flaws, attackers may have retrieved encrypted passwords and used the Active Monitor PowerShell feature to run malicious scripts on the network. One notable attack involved downloading and executing malicious files through PowerShell, msiexec commands, and other legitimate Windows tools.
According to Trend Micro, no suspicious logon events, users accessing suspicious URLs, or malware execution were observed before the malicious scripts were executed.
Attack Methods
The attackers used WhatsUp Gold's legitimate features to hide their malicious activities. Scripts executed through the NmPoller.exe service were designed to download files, including remote administration tools like Atera Agent, Splashtop Remote, and SimpleHelp Remote Access. These tools attempted to give the attackers control over the victim's systems, potentially enabling lateral movement across networks.
The attacker's commands include downloading malicious files from external servers, executing them via PowerShell, and using msiexec to silently install harmful software on victim machines.
Impact and Response
While Trend Micro noted that one particular incident was contained, they suggest that the attackers could be ransomware actors based on their use of multiple RATs. The attack occurred shortly after the POC was released, highlighting how quickly attackers can weaponize newly discovered vulnerabilities. This incident underscores the importance of rapid patching, as a patch for these vulnerabilities was released on August 16, giving organizations a window to protect themselves—yet many systems remain unpatched.
Recommended Actions
To mitigate the risk, experts recommend:
Immediate patching: Organizations should apply the latest updates for WhatsUp Gold to close the vulnerabilities.
Enhanced monitoring: Ensure robust monitoring and detection systems are in place to identify suspicious activity related to remote access tools and PowerShell scripts.
Access controls: Implement multi-factor authentication (MFA) for remote access and restrict privileges based on user roles to minimize the attack surface.
Segmentation and whitelisting: Network segmentation and application whitelisting can help limit the scope of any breach, preventing attackers from moving laterally.
The Big Picture
This attack reminds us how quickly attackers can exploit newly disclosed vulnerabilities. Using legitimate functions like Active Monitor PowerShell highlights the importance of vigilance even when attackers rely on legitimate features. Without swift patching and rigorous security measures, organizations risk network compromise and data loss.
Diver deeper: Read Trend Micro's full report here.