Two critical vulnerabilities patched recently in Progress Software’s WhatsUp Gold product appear to have been exploited in the wild, possibly in ransomware attacks.
Progress Software informed customers about three vulnerabilities in its WhatsUp Gold IT infrastructure monitoring product on August 16.
Two of the flaws, tracked as CVE-2024-6670 and CVE-2024-6671 and assigned ‘critical’ severity ratings, have been described as SQL injection issues that can be exploited by unauthenticated attackers to retrieve users’ encrypted passwords.
A researcher of Summoning Team, who discovered and responsibly disclosed these SQL injection vulnerabilities, made public technical details and a proof-of-concept (PoC) exploit on August 30.
Trend Micro started seeing remote code execution attacks against WhatsUp Gold instances the same day, and the company believes these attacks possibly leveraged CVE-2024-6670 and CVE-2024-6671.
“The timeline of events suggests that despite the availability of patches, some organizations were unable to apply them quickly, leading to incidents almost immediately following the PoC’s publication,” Trend Micro noted.
The attackers attempted to deploy several remote access tools (RATs), according to the security firm.
Trend Micro was unable to tie the attacks to a known threat actor, but the use of multiple RATs in the attack has led the company to believe that a ransomware group may be behind exploitation of the vulnerabilities.
The US cybersecurity agency CISA on Monday added CVE-2024-6670 to its Known Exploited Vulnerabilities (KEV) catalog, but it has not confirmed exploitation in ransomware attacks (KEV entries specify whether a flaw is known to have been used in ransomware campaigns). CISA has yet to add CVE-2024-6671 to this list.
At the time of writing, Progress Software’s advisory does not mention anything about in-the-wild exploitation, but the company did recently add a ‘potential indicators of compromise’ section to the advisory.
There are hundreds of internet-exposed WhatsUp Gold instances, a majority in Brazil, followed by India, Thailand, and the United States.
Progress Software recently patched another potentially serious WhatsUp Gold flaw that could lead to a full system compromise, but there is no indication that this security hole, tracked as CVE-2024-4885, has been exploited as well.
Related: Ivanti CSA Vulnerability Exploited in Attacks Days After DIsclosure
Related: Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes