Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities

    Friday, September 13, 2024 In: Threat Research Print

    Date: 09/13/2024

    Severity: Meium

    Summary

    The document "Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities" addresses security measures for defending against Remote Code Execution (RCE) vulnerabilities in WhatsUp Gold, a network monitoring tool. It outlines the risks associated with these vulnerabilities, which could allow attackers to execute malicious code remotely and potentially compromise systems. The document provides strategies for mitigating these threats, including applying patches, configuring security settings properly, and monitoring network traffic for unusual activities. By following these recommendations, organizations can enhance their defenses and reduce the risk of exploitation through these specific vulnerabilities.

    Indicators of Compromise (IOC) List

    URL/Domain 

    http://45.227.255.216:29742/ddQCz2CkW8/setup.msi

    https://webhook.site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837

    https://fedko.org/wp-includes/ID3/setup.msi

    http://45.227.255.216:29742/ddQCz2CkW8/setup.msi

    http://185.123.100.160/access/Remote Access-windows64-offline.exe

    IP Address

    185.123.100.160

    Hash

    992974377793c2479065358b358bb3788078970dacc7c50b495061ccc4507b90

6daa94a36c8ccb9442f40c81a18b8501aa360559865f211d72a74788a1bbf3ce

f1c68574167eaea826a90595710e7ee1a1e75c95433883ce569a144f116e2bf4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    URL/Domain

    userdomainname like "http://45.227.255.216:29742/ddQCz2CkW8/setup.msi" or url like "http://45.227.255.216:29742/ddQCz2CkW8/setup.msi" or userdomainname like "https://webhook.site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837" or url like "https://webhook.site/b6ef7410-9ec8-44f7-8cdf-7890c1cf5837" or userdomainname like "https://fedko.org/wp-includes/ID3/setup.msi" or url like "https://fedko.org/wp-includes/ID3/setup.msi" or userdomainname like "http://45.227.255.216:29742/ddQCz2CkW8/setup.msi" or url like "http://45.227.255.216:29742/ddQCz2CkW8/setup.msi" or userdomainname like "http://185.123.100.160/access/Remote Access-windows64-offline.exe" or url like "http://185.123.100.160/access/Remote Access-windows64-offline.exe"

    IP Address

    dstipaddress IN ("185.123.100.160") or ipaddress IN ("185.123.100.160") or publicipaddress IN ("185.123.100.160") or srcipaddress IN ("185.123.100.160")

    Hash

    sha256hash IN ("992974377793c2479065358b358bb3788078970dacc7c50b495061ccc4507b90","6daa94a36c8ccb9442f40c81a18b8501aa360559865f211d72a74788a1bbf3ce","f1c68574167eaea826a90595710e7ee1a1e75c95433883ce569a144f116e2bf4")

    Reference: 

    https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html


    Tags

    MalwareExploitationPowerShell Attack

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.