September 17, 2024 at 06:03AM
Two critical vulnerabilities in Progress Software’s WhatsUp Gold were recently exploited in possible ransomware attacks. Trend Micro observed remote code execution attempts following the public disclosure of the flaws and suspects a ransomware group’s involvement due to the use of multiple remote access tools. CISA has added one of the vulnerabilities to its Known Exploited Vulnerabilities catalog.
Based on the meeting notes, the main takeaways are:
– Two critical vulnerabilities (CVE-2024-6670 and CVE-2024-6671) in Progress Software’s WhatsUp Gold product have been exploited in the wild, possibly in ransomware attacks. These vulnerabilities were SQL injection issues that allowed unauthenticated attackers to retrieve users’ encrypted passwords.
– Progress Software informed customers about these vulnerabilities on August 16, and a researcher from Summoning Team publicly disclosed technical details and a proof-of-concept exploit on August 30.
– Trend Micro observed remote code execution attacks against WhatsUp Gold instances the same day the PoC was published. The attackers attempted to deploy several remote access tools, and it’s believed that a ransomware group may be behind the exploitation of the vulnerabilities.
– The US cybersecurity agency CISA added CVE-2024-6670 to its Known Exploited Vulnerabilities catalog, but has not confirmed exploitation in ransomware attacks. CVE-2024-6671 has not been added to this list yet.
– Progress Software recently patched another potentially serious vulnerability in WhatsUp Gold (CVE-2024-4885), but there is no indication that this security hole has been exploited.
Additionally, it’s worth noting that there are hundreds of internet-exposed WhatsUp Gold instances, with a majority in Brazil, followed by India, Thailand, and the United States.
Let me know if there’s anything else you’d like to include in the summary.