Summary:
Threat actors are actively exploiting a recently patched security flaw impacting Fortinet FortiClient EMS in a campaign that installs remote desktop software like AnyDesk and ScreenConnect. The vulnerability is tracked as CVE-2023-48788 (CVSS score: 9.8) and is an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets. According to Kaspersky, the October 2024 attack targeted a company’s internet-facing Windows server that had two open ports associated with FortiClient EMS. Kaspersky uncovered that the adversary exploited CVE-2023-48788 as the campaign’s initial access vector and then dropped a ScreenConnect executable to gain remote access on the compromised host. The threat actor used ScreenConnect to upload additional payloads that enumerated network resources, tried to obtain credentials, performed defense evasion techniques, and achieved further persistence by dropping the AnyDesk remote control tool. Kaspersky believes this campaign has targeted various companies across multiple countries using ScreenConnect subdomains. Kaspersky said it detected further attempts to weaponize CVE-2023-48788 on October 23, 2024, this time to execute a PowerShell script to find additional vulnerable targets.

Security Officer Comments:
A patch for the flaw CVE-2023-48788 was released in April 2024, yet this active exploitation across various companies indicates that many systems incorporating FortiClient EMS into their environment remain unpatched and susceptible to these intrusion attempts. Forescout discovered a similar campaign leveraging CVE-2023-48788 to deliver ScreenConnect, but this campaign also deployed Metasploit Powerfun payloads. The overall goal of this campaign appears to be establishing persistence while systems are vulnerable to harvest credentials and move laterally within the compromised network. This analysis highlights the constantly evolving techniques developed for initial access juxtaposed against the effective remote access tools commonly employed by threat actors. This campaign serves as a stark reminder of the need to constantly update technologies — to versions 7.0.11–7.0.13 or 7.2.3 and later in the case of FortiClient EMS — that remain exposed to the internet, as this can be low-hanging fruit for a cyberattack. Implementing alert notifications and patch management for any application with direct or indirect public access and installing agents that constantly monitor and detect threats on computers can be a key factor in containing and preventing the threat.

Suggested Corrections:
IOCs and MITRE ATT&CK TTPs are available here.

In order to prevent and defend against attacks like these, Kaspersky strongly recommends always installing an EPP agent on every host running an OS — even if it’s used with a specific role — and configuring additional controls like Application Control to block the execution of legitimate tools if abused by threat actors. It is worth pointing out that an MDR implementation on computers adjacent to the initial vector was able to detect and block attackers in a timely manner, preventing them from achieving their ultimate objectives or causing major impact within the victim’s environment. Also, installing agents that constantly monitor and detect threats on computers can be a key factor in containing the threat during an incident.

Link(s):
https://thehackernews.com/2024/12/hackers-exploiting-critical-fortinet.html

https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-the-wild/115046/