Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

Description

Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30. These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16. The timeline suggests that some organizations were unable to apply patches quickly, leading to incidents immediately following the PoC's publication. Attackers abused NmPoller.exe to execute PowerShell scripts, downloading various remote access tools and attempting to gain persistence. Mitigation steps include keeping services under access control, immediate patch application, and monitoring suspicious process creation events in WhatsUp Gold environments.