Critical Fortinet EMS Vulnerability Under Attack
A critical vulnerability in Fortinet FortiClient EMS, now patched, is being actively exploited by threat actors in a cyber campaign aimed at installing remote desktop tools such as AnyDesk and ScreenConnect.
Tracked as CVE-2023-48788 (CVSS score: 9.3), this flaw is an SQL injection vulnerability that enables attackers to execute unauthorized commands by sending specially crafted data packets.
According to Russian cybersecurity firm Kaspersky, the attack was first detected in October 2024, targeting a Windows server belonging to an unnamed organization. The server, which was accessible over the internet, had two open ports linked to FortiClient EMS, providing an entry point for attackers.
Exploiting CVE-2023-48788 for Initial Access
FortiClient EMS allows organizations to enforce policies on corporate devices and ensure secure access to the Fortinet VPN. However, in this case, attackers leveraged CVE-2023-48788 as an initial access vector. Once inside, they deployed the ScreenConnect executable to gain remote access to the compromised server.
“Following the initial breach, the attackers uploaded additional payloads to the system, conducting reconnaissance and lateral movement activities,” Kaspersky noted. “These included network resource enumeration, credential theft, defense evasion, and persistence via the AnyDesk remote access tool.”
Malicious Tools Used in the Campaign
During the attack, the threat actors deployed a variety of malicious tools, including:
- webbrowserpassview.exe: A password recovery tool for browsers like Internet Explorer, Firefox, Chrome, Safari, and Opera.
- Mimikatz: A widely used tool for extracting credentials.
- netpass64.exe: A tool for recovering network passwords.
- netscan.exe: A network scanning tool.
The attackers are believed to have targeted organizations across multiple countries, including Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. They utilized various ScreenConnect subdomains, such as infinity.screenconnect[.]com, to facilitate their operations.
New Attack Techniques Observed
On October 23, 2024, Kaspersky detected further attempts to exploit CVE-2023-48788. This time, the attackers executed a PowerShell script hosted on a webhook[.]site domain. The script was designed to collect responses from vulnerable systems during scans.
This activity mirrors a similar campaign uncovered eight months earlier by cybersecurity firm Forescout, where attackers exploited the same vulnerability to deploy ScreenConnect and Metasploit Powerfun payloads.
Growing Complexity of Cyber Threats
Kaspersky’s researchers emphasize that threat actors are continuously evolving their tactics, making their attack techniques more sophisticated.
“The analysis of this incident revealed that attackers are refining their methods to deploy remote access tools, increasing the complexity of their campaigns,” the report concluded.
This incident highlights the urgent need for organizations to patch critical vulnerabilities promptly and implement robust cybersecurity measures to protect against evolving threats.