Business
Improve your risk posture with attack surface management
Security that enables business outcomes
Gain visibility and meet business needs with security
Connect with confidence from anywhere, on any device
Secure users and key operations throughout your environment
Move faster than your adversaries with powerful purpose-built XDR, attack surface risk management, and zero trust capabilities
Maximize effectiveness with proactive risk reduction and managed services
Understand your attack surface, assess your risk in real time, and adjust policies across network, workloads, and devices from a single console
Drive business value with measurable cybersecurity outcomes
See more, act faster
Evolve your security to mitigate threats quickly and effectively
Ensure code runs only as intended
Gain visibility and control with security designed for cloud environments
Protect patient data, devices, and networks while meeting regulations
Protecting your factory environments – from traditional devices to state-of-the-art infrastructures
ICS/OT Security for the oil and gas utility industry
ICS/OT Security for the electric utility
Stop threats with easy-to-use solutions designed for your growing business
Bridge threat protection and cyber risk management
Your generative AI cybersecurity assistant
Stop breaches before they happen
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
The most trusted cloud security platform for developers, security teams, and businesses
Cloud asset discovery, vulnerability prioritization, Cloud Security Posture Management, and Attack Surface Management all in one
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native applications with advanced container image scanning, policy-based admission control, and container runtime protection
Protect application workflow and cloud storage against advanced threats
Defend the endpoint through every stage of an attack
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Optimized prevention, detection, and response for endpoints, servers, and cloud workloads
On-premises and cloud protection against malware, malicious applications, and other mobile threats
Expand the power of XDR with network detection and response
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
Protect against known, unknown, and undisclosed vulnerabilities in your network
Detect and respond to targeted attacks moving inbound, outbound, and laterally
Redefine trust and secure digital transformation with continuous risk assessments
Stop phishing, malware, ransomware, fraud, and targeted attacks from infiltrating your enterprise
Stop phishing, ransomware, and targeted attacks on any email service including Microsoft 365 and Google Workspace
Learn about solutions for ICS / OT security.
Stop adversaries faster with a broader perspective and better context to hunt, detect, investigate, and respond to threats from a single platform
See threats coming from miles away
End-to-end identity security from identity posture management to detection and response
Prevent, detect, respond and protect without compromising data sovereignty
Augment security teams with 24/7/365 managed detection, response, and support
Augment threat detection with expertly managed detection and response (MDR) for email, endpoints, servers, cloud workloads, and networks
Our trusted experts are on call whether you're experiencing a breach or looking to proactively improve your IR plans
Stop breaches with the best response and detection technology on the market and reduce clients’ downtime and claim costs
Grow your business and protect your customers with the best-in-class complete, multilayered security
Stand out to customers with competency endorsements that showcase your expertise
Deliver modern security operations services with our industry-leading XDR
Partner with a leading expert in cybersecurity, leverage proven solutions designed for MSPs
We work with the best to help you optimize performance and value
Discover resources designed to accelerate your business’s growth and enhance your capabilities as a Trend Micro partner
Accelerate your learning with Trend Campus, an easy-to-use education platform that offers personalized technical guidance
Access collaborative services designed to help you showcase the value of Trend Vision One™ and grow your business
Locate a partner from whom you can purchase Trend Micro solutions
See how Trend outperforms the competition
Crowdstrike provides effective cybersecurity through its cloud-native platform, but its pricing may stretch budgets, especially for organizations seeking cost-effective scalability through a true single platform
Microsoft offers a foundational layer of protection, yet it often requires supplemental solutions to fully address customers' security problems
Palo Alto Networks delivers advanced cybersecurity solutions, but navigating its comprehensive suite can be complex and unlocking all capabilities requires significant investment
Trend Detects NVIDIA AI Toolkit Vulnerability
Learn more >
The Illusion of Choice: Uncovering Electoral Deceptions in the Age of AI
Read report >
Shaping the Future of Attack Surface Management
See how >
Content has been added to your Folio
Exploits & Vulnerabilities
In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671.
By: Hitomi Kimura, Maria Emreen Viray Read time: ( words)
Save to Folio
The Trend Micro Managed Extended Detection and Response (MXDR) team observed remote code execution (RCE) attacks on WhatsUp Gold, an application for network and IT infrastructure monitoring currently provided by Progress Software Corporation and its components run on Windows (Figure 1). The attacks have abused Active Monitor PowerShell Script, one of the legitimate functions of the product, since August 30.
The RCE vulnerabilities CVE-2024-6670 and CVE-2024-6671 were disclosed by the vendor on August 16; patches were made available at the same time. According to the disclosure, “if the application is configured with only a single user; a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the user’s encrypted password.” However, the CVSS scores of both vulnerabilities are marked as 9.8, suggesting that RCE is possible.
In August, the vulnerability’s discoverer, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) has published a blog entry and provided a PoC on the subject. The PoC showed how to overwrite an arbitrary string as the new password, and that explanation matches our observations.
Activity monitoring on Trend Vision One showed that a suspicious script retrieved from a suspicious URL was suddenly executed on the computer hosting WhatsUp Gold. The timeline prior to the incident showed no suspicious logon events, suspicious URLs accessed by users, or malware execution. These are typical events in the early stages of incidents, but if these have not appeared, it’s more likely that a vulnerability has been involved.
The polling process NmPoller.exe, the WhatsUp Gold executable, seems to be able to host a script called Active Monitor PowerShell Script as a legitimate function (Figure 2). The threat actors in this case chose it to perform for remote arbitrary code execution.
The malicious code that was executed by NmPoller.exe looks like this: The first part of the square is the prefix, and the last two lines are the malicious code submitted by the threat actor. Several variations of this part have been observed, as shown in Figure 3.
Multiple PowerShell scripts were executed via NmPoller.exe. The following scripts were executed as the malicious part multiple times combined with the prefix part described in the previous section:
The file a.ps1 contained only one line:
In this case, the threat actor aimed to install remote administration tools through PowerShell. They attempted to install these four remote access tools (RATs) via msiexec.exe (Figure 4):
Atera Agent and Splashtop Remote were installed by a single msi installer retrieved from the URL, hxxps://fedko[.]org/wp-includes/ID3/setup.msi.
The incident was contained by MXDR team and no further impacts were observed. The threat actor has not yet been identified; however, the usage of multiple RATs suggests that it may be a ransomware actor.
This timeline suggests that the exploit attempts may have been performed on the same day, just a few hours after the PoC was published. The PoC was released on the Friday before the long weekend in the US, which included a holiday, so it may have been difficult for many organizations to apply the patch immediately. However, the latest patch was provided before the PoC was released, so if there is information such as a fix high-severity vulnerability in the patch, planning to apply the patch early should help prevent damage even if no PoC is available.
Censys has issued an advisory that they observed 1,207 exposed devices online for CVE-2024-4885, another WhatsUp Gold vulnerability that has a CVSS score of 9.8 and was fixed in June. This may have attracted the attention of threat actors as an attack surface following the disclosure of serious vulnerabilities in June.
The affected host was affected due to the compromise of user authentication for WhatsUp Gold. Users of the product should take the following steps to avoid a similar impact:
To detect the attacks that we observed, we monitored process creation events from the following processes:
For example, if C:Program Files (x86)IpswitchWhatsUpnmpoller.exe creates processes like the following, it is highly suspicious:
Observed attack techniques (OAT) detected using Vision One:
Please note that in the implementation, NmPoller.exe can execute PowerShell scripts without launching another powershell.exe process. If you can monitor PowerShell scripts with Antimalware Scan Interface (AMSI), verify that all scripts executed by WhatsUp Gold’s Active Monitor PowerShell Script function are the ones you expect. To reduce the monitoring effort, it is also a good idea to suspend the use of Active Monitor PowerShell Script function until the latest patch is applied.
Also, because the vulnerability CVE-2024-6670 is described as allowing the compromise of the user account, it is quite possible that attacks would be observed as other events. Considering this, until the latest patch is applied, it is worth tightening access controls to WhatsUp Gold as much as possible and closely monitoring the events of all related processes.
Patch management is still important but always difficult. In this case, the PoC was published several days after the patch was released, and an incident that appeared to be affected by the vulnerability was observed on the same day, just a few hours after published. This observed fact shows that if the vulnerability being fixed is marked as severe, it is strongly encouraged to apply the patch as soon as it is released, even if no PoC is available.
The key to preventing incidents like this are not limited to patch management. There should be several defenses in place in addition patch management. The most common defenses to mitigate risks are access control and multi-factor authentication (MFA), which security teams can apply through best practices like:
Maintaining a daily readiness and vigilance against cyberattacks is essential to ensuring that emergency response is targeted only at things that truly require it. We hope that after reading this article, security teams will once again check that no unintended hosts or services are exposed to the public internet as part of their peacetime preparations. This approach is now known as part of attack surface management.
Organizations can also consider powerful security technologies such as Trend Vision One™, which offers multilayered protection and behavior detection, helping block malicious tools and services before they can inflict damage on user machines and systems.
Hitomi Kimura
Incident Response Analyst
Maria Emreen Viray
Threats Analyst
Experience our unified platform for free
Country Headquarters
Trend Micro – United States (US)
225 East John Carpenter Freeway
Suite 1500
Irving, Texas 75062
Phone: +1 (817) 569-8900
Select a country / region
Privacy | Legal | Accessibility | Site map
Copyright ©2024 Trend Micro Incorporated. All rights reserved
Copyright ©2024 Trend Micro Incorporated. All rights reserved
