Fixed a critical security flaw affecting Fortinet FortiClient EMS being exploited by attackers as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect.
The vulnerability in question CVE-2023-48788 (CVSS Score: 9.3), a SQL implementation flaw that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.
Russian cybersecurity firm Kaspersky said the October 2024 attack targeted an unnamed company’s Windows server that was exposed to the Internet and had two open ports connected to FortiClient EMS.
“The targeted company uses this technology to allow employees to download specific policies to their corporate devices, giving them secure access to the Fortinet VPN,” it said. said in Thursday’s analysis.
Further analysis of the incident revealed that the threat actors exploited CVE-2023-48788 as the initial access vector, subsequently deleting the ScreenConnect executable to gain remote access to the compromised host.
“After the initial installation, the attackers began to download additional payloads to the compromised system to initiate detection and lateral movement activities, such as enumerating network resources, attempting to obtain credentials, performing security evasion techniques, and generating the following type of save through the AnyDesk remote management tool” , — said Kaspersky.
Some of the other notable tools dropped during the attack are listed below –
- webbrowserpassview.exe, a password recovery tool that shows passwords saved in Internet Explorer (versions 4.0 – 11.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera
- Mimiket
- netpass64.exe, password recovery tool
- netscan.exe, network scanner
The threat actors behind the campaign are believed to have targeted various companies located in Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the UAE using various ScreenConnect subdomains (such as infinity .screenconnect(.)com).
Kaspersky said that on October 23, 2024. it discovered further attempts to weaponize CVE-2023-48788, this time to execute a PowerShell script hosted on the webhook(.) site domain to “collect responses from vulnerable targets” while scanning a system susceptible to the flaw.
The disclosure comes more than eight months after cybersecurity firm Forescout uncovered a similar campaign that involved exploiting CVE-2023-48788 to deliver the ScreenConnect and Metasploit Powerfun payloads.
“Analysis of this incident helped us establish that the methods currently used by attackers to deploy remote access tools are constantly evolving and becoming more sophisticated,” the researchers said.
