BleepingComputer reports that intrusions exploiting two critical SQL injection bugs in Progress Software's network availability and performance monitoring tool WhatsUp Gold, tracked as CVE-2024-6670 and CVE-2024-6671, have been conducted to facilitate remote code execution just five hours after the publication of proof-of-concept exploit codes by security researcher Sina Kheirkhah on Aug. 30.
After executing several PowerShell scripts using WhatsUp Gold's Active Monitor PowerShell Script functionality, threat actors proceeded with exploiting the 'msiexec.exe' Windows utility to install the Atera Agent, SimpleHelp Remote Access, Splashtop Remote, and Radmin remote access tools for persistence and further payload deployment, a Trend Micro analysis showed. Despite the lack of exact attribution, ransomware operations are believed to have been involved in the intrusions due to the presence of several RATs. Such a development comes after more than a month after attacks targeted at WhatsUp Gold instances vulnerable to the critical RCE bug, tracked as CVE-2024-4885, were reported by the Shadowserver Foundation.