Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw

Malicious actors are likely leveraging publicly available proof-of-concept (PoC) exploits for recently disclosed security flaws in Progress Software WhatsUp Gold to conduct opportunistic attacks.

The activity is said to have commenced on August 30, 2024, a mere five hours after a PoC was released for CVE-2024-6670 (CVSS score: 9.8) by security researcher Sina Kheirkhah of the Summoning Team, who is also credited with discovering and reporting CVE-2024-6671 (CVSS scores: 9.8).

Both the critical vulnerabilities, which allow an unauthenticated attacker to retrieve a user’s encrypted password, were patched by Progress in mid-August 2024.

“The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC’s publication,” Trend Micro researchers Hitomi Kimura and Maria Emreen Viray said in a Thursday analysis.

The attacks observed by the cybersecurity company involve bypassing WhatsUp Gold authentication to exploit the Active Monitor PowerShell Script and ultimately download various remote access tools for gaining persistence on the Windows host.

This includes Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote, with both Atera Agent and Splashtop Remote installed by means of a single MSI installer file retrieved from a remote server.

“The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function,” the researchers explained. “The threat actors in this case chose it to perform for remote arbitrary code execution.”

While no follow-on exploitation actions have been detected, the use of several remote access software points to the involvement of a ransomware actor.

This is the second time security vulnerabilities in WhatsUp Gold have been actively weaponized in the wild. Early last month, the Shadowserver Foundation said it had observed exploitation attempts against CVE-2024-4885 (CVSS score: 9.8), another critical bug that was resolved by Progress in June 2024.

The disclosure comes weeks after Trend Micro also revealed that threat actors are exploiting a now-patched security flaw in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527, CVSS score: 10.0) to deliver the Godzilla web shell.

“The CVE-2023-22527 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide,” the company said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.