Exploiting Critical Fortinet EMS Vulnerability to deploy RAT
Join our weekly newsletters for the latest updates and exclusive content on industry-leading AI, InfoSec, Technology, Psychology, and Literature coverage. Learn More
Introduction
A critical SQL injection vulnerability in Fortinet FortiClient Enterprise Management Server (EMS), CVE-2023-48788 (CVSS score: 9.3), is being actively exploited by hackers. This flaw enables attackers to execute unauthorized code or commands on vulnerable systems, opening the door to sophisticated cyberattacks.
Despite being patched, the vulnerability is at the center of ongoing cyber campaigns. Threat actors have used it as an entry point to install remote desktop tools such as AnyDesk and ScreenConnect, gaining unauthorized control over compromised networks.
In this article, we will break down the attack tactics, the tools deployed, and strategies to defend against such threats.
What Is CVE-2023-48788?
CVE-2023-48788 is a high-severity SQL injection vulnerability affecting Fortinet FortiClient EMS. The flaw allows attackers to send specially crafted data packets to execute arbitrary commands or code on vulnerable systems.
Key Details:
- Severity Score: 9.3 (Critical)
- Affected Component: FortiClient EMS (Enterprise Management Server)
- Impact: Unauthorized command execution, enabling remote access and lateral movement within compromised networks.
How the Attack Unfolded
Initial Access Vector:
The attackers exploited CVE-2023-48788 on a publicly exposed Windows server running FortiClient EMS. Two open ports associated with the EMS platform provided an entry point for the cybercriminals.
Attack Sequence:
- Exploitation: Hackers used the vulnerability to gain initial access.
- Tool Deployment: Dropped a ScreenConnect executable to establish remote access.
- Payload Delivery: Uploaded additional tools for reconnaissance, credential harvesting, and persistence.
Tools Used in the Attack
During the incident, the attackers deployed several tools to extend their reach within the compromised network:
- ScreenConnect: A remote desktop solution used to maintain control over the target system.
- AnyDesk: Installed as a secondary remote access tool for persistence.
- Reconnaissance Tools:
- webbrowserpassview.exe: Extracts passwords stored in browsers like Chrome, Firefox, Safari, and more.
- netscan.exe: Scans and enumerates network resources.
- Credential Harvesting Tools:
- Mimikatz: A well-known tool for extracting passwords and security tokens.
- netpass64.exe: Recovers stored network passwords.
Follow-Up Activities:
The attackers engaged in:
- Lateral Movement: Enumerating network resources to identify additional targets.
- Defense Evasion: Deploying techniques to bypass security measures.
- Persistence: Using multiple remote control tools to maintain access.
Geographic Scope of the Attack
This campaign targeted organizations across a wide geographical area, including:
- Americas: Brazil, Peru
- Europe: Croatia, France, Spain, Switzerland, Turkey
- Asia and Africa: India, Indonesia, Mongolia, Namibia, U.A.E.
Attackers utilized different ScreenConnect subdomains (e.g., infinity.screenconnect[.]com) to target these regions, making detection and mitigation more complex.
Additional Observations
PowerShell Payload Delivery:
On October 23, 2024, further attempts were made to exploit CVE-2023-48788. This time, attackers deployed a PowerShell script hosted on webhook[.]site to gather responses from vulnerable systems during a scanning operation.
Evolution of Attack Techniques:
Kaspersky’s analysis reveals that the tactics used in these campaigns are becoming increasingly sophisticated. The attackers are continuously refining their methods, integrating advanced techniques to evade detection and expand their reach.
Previous Exploits Involving CVE-2023-48788
Earlier in 2024, cybersecurity firm Forescout uncovered a similar campaign where CVE-2023-48788 was exploited to deliver:
- ScreenConnect payloads.
- Metasploit Powerfun modules, used for advanced network reconnaissance and exploitation.
These incidents illustrate how attackers are leveraging this vulnerability for a wide range of malicious activities.
Mitigation Strategies
1. Patch Management
- Apply the latest patches for FortiClient EMS immediately to mitigate CVE-2023-48788.
- Regularly update all software and operating systems.
2. Network Hardening
- Restrict access to critical servers by closing unnecessary ports.
- Implement network segmentation to limit lateral movement.
3. Monitoring and Detection
- Use advanced endpoint detection and response (EDR) solutions to identify unusual behavior.
- Monitor traffic for signs of unauthorized remote desktop tool installations.
4. Threat Intelligence Integration
- Stay updated on emerging threats and indicators of compromise (IOCs) related to this vulnerability.
- Block malicious domains like webhook[.]site and associated ScreenConnect subdomains.
5. Employee Training
- Educate staff about phishing and social engineering tactics that might facilitate exploitation.
Conclusion
The exploitation of CVE-2023-48788 underscores the persistent risks posed by unpatched vulnerabilities in critical systems. Attackers are refining their tactics, using tools like ScreenConnect and AnyDesk to establish long-term control over compromised networks.
Organizations must remain vigilant, applying timely patches, monitoring network activity, and implementing robust security measures to protect their infrastructure.
As cyber threats continue to evolve, proactive defense and awareness are crucial in mitigating the impact of these sophisticated campaigns.
Discover more at InnoVirtuoso.com
I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.
For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 🙂
Stay updated with the latest news—subscribe to our newsletter today!
Thank you all—wishing you an amazing day ahead!
