Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Recent WhatsUp Gold Vulnerabilities Possibly Exploited in Ransomware Attacks

Two recently patched Progress Software WhatsUp Gold vulnerabilities may have been exploited in the wild, possibly in ransomware attacks.

WhatsUp Gold vulnerability exploited

Two critical vulnerabilities patched recently in Progress Software’s WhatsUp Gold product appear to have been exploited in the wild, possibly in ransomware attacks.

Progress Software informed customers about three vulnerabilities in its WhatsUp Gold IT infrastructure monitoring product on August 16. 

Two of the flaws, tracked as CVE-2024-6670 and CVE-2024-6671 and assigned ‘critical’ severity ratings, have been described as SQL injection issues that can be exploited by unauthenticated attackers to retrieve users’ encrypted passwords. 

A researcher of Summoning Team, who discovered and responsibly disclosed these SQL injection vulnerabilities, made public technical details and a proof-of-concept (PoC) exploit on August 30.

Trend Micro started seeing remote code execution attacks against WhatsUp Gold instances the same day, and the company believes these attacks possibly leveraged CVE-2024-6670 and CVE-2024-6671.

“The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC’s publication,” Trend Micro noted.

The attackers attempted to deploy several remote access tools (RATs), according to the security firm. 

Trend Micro was unable to tie the attacks to a known threat actor, but the use of multiple RATs in the attack has led the company to believe that a ransomware group may be behind exploitation of the vulnerabilities. 

Advertisement. Scroll to continue reading.

The US cybersecurity agency CISA on Monday added CVE-2024-6670 to its Known Exploited Vulnerabilities (KEV) catalog, but it has not confirmed exploitation in ransomware attacks (KEV entries specify whether a flaw is known to have been used in ransomware campaigns). CISA has yet to add CVE-2024-6671 to this list.

At the time of writing, Progress Software’s advisory does not mention anything about in-the-wild exploitation, but the company did recently add a ‘potential indicators of compromise’ section to the advisory.

There are hundreds of internet-exposed WhatsUp Gold instances, a majority in Brazil, followed by India, Thailand, and the United States. 

Progress Software recently patched another potentially serious WhatsUp Gold flaw that could lead to a full system compromise, but there is no indication that this security hole, tracked as CVE-2024-4885, has been exploited as well. 

Related: Ivanti CSA Vulnerability Exploited in Attacks Days After DIsclosure

Related: Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes

Related: CrushFTP Patches Exploited Zero-Day Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.