A now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect.
The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.
Russian cybersecurity firm Kaspersky said the October 2024 attack targeted an unnamed company’s Windows server that was exposed to the internet and had two open ports associated with FortiClient EMS.
“The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN,” it said in a Thursday analysis.
Further analysis of the incident found that the threat actors took advantage of CVE-2023-48788 as an initial access vector, subsequently dropping a ScreenConnect executable to obtain remote access to the compromised host.
“After the initial installation, the attackers began to upload additional payloads to the compromised system, to begin discovery and lateral movement activities, such as enumerating network resources, trying to obtain credentials, perform defense evasion techniques, and generating a further type of persistence via the AnyDesk remote control tool,” Kaspersky said.
Some of the other notable tools dropped over the course of the attack are listed below –
- webbrowserpassview.exe, a password recovery tool that reveals passwords stored in Internet Explorer (version 4.0 – 11.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera
- Mimikatz
- netpass64.exe, a password recovery tool
- netscan.exe, a network scanner
The threat actors behind the campaign are believed to have targeted various companies located across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. by making use of different ScreenConnect subdomains (e.g., infinity.screenconnect[.]com).
Kaspersky said it detected further attempts to weaponize CVE-2023-48788 on October 23, 2024, this time to execute a PowerShell script hosted on a webhook[.]site domain in order to “collect responses from vulnerable targets” during a scan of a system susceptible to the flaw.
The disclosure comes more than eight months after cybersecurity company Forescout uncovered a similar campaign that involved exploiting CVE-2023-48788 to deliver ScreenConnect and Metasploit Powerfun payloads.
“The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity,” the researchers said.
