Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

September 12, 2024 at 05:49AM

Trend Micro researchers discovered remote code execution attacks on WhatsUp Gold leveraging the Active Monitor PowerShell Script since August 30. Exploiting vulnerabilities CVE-2024-6670 and CVE-2024-6671, the attacks persisted despite available patches, emphasizing the need for prompt patch application and proactive monitoring to prevent similar incidents. Mitigation steps include access control, timely patching, and close monitoring.

Based on the meeting notes, here is the clear takeaway:

The meeting notes describe a recent incident of remote code execution (RCE) attacks on WhatsUp Gold, a network and IT infrastructure monitoring application provided by Progress Software Corporation. These attacks exploited vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, but active exploitation began on the same day just after a Proof of Concept (PoC) was published on August 30. The attacks abused the Active Monitor PowerShell Script, which is a legitimate function of the product.

The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC’s publication. The threat actors aimed to install remote administration tools through PowerShell, attempting to install four remote access tools (RATs) via msiexec.exe.

Mitigation steps recommended include applying the latest patch as soon as possible, keeping services for corporate use under access control, using strong passwords, monitoring suspicious process creation events, and closely monitoring events in WhatsUp Gold environments to prevent similar incidents. It’s also important to tighten access controls and consider additional defenses like multi-factor authentication (MFA) and passkeys.

Additionally, proposed steps for monitoring and detection include monitoring process creation events, conducting searches for specific events, and observing attack techniques detected using tools like Trend Vision One™.

Lastly, the meeting notes include Indicators of Compromise (IOCs) such as file paths, SHA256 hashes, and URLs associated with the attack, in addition to listing the authors of the blog post and the incident response and threats analysts involved.

Please let me know if you need further assistance or additional details.

Full Article