Analysis Summary

Malicious actors are using a now-patched serious security issue that affects Fortinet FortiClient EMS as part of a cyber-campaign that installs remote desktop programs like AnyDesk and ScreenConnect. The SQL injection vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), which enables attackers to submit specially constructed data packets and execute unauthorized code or commands.

According to researchers, the October 2024 attack targeted a Windows server belonging to an unidentified corporation that was open to the Internet and had two open ports connected to FortiClient EMS. The targeted organization uses this technology to enable staff members to download particular policies to their work-issued devices, providing them with safe access to the Fortinet VPN.

Further examination of the event indicated that the threat actors took advantage of CVE-2023-48788 as an initial access vector, and then dropped a ScreenConnect executable to get remote access to the affected system. To initiate discovery and lateral movement activities, such as listing network resources, attempting to obtain credentials, executing defense evasion techniques, and creating additional persistence via the AnyDesk remote control tool, the attackers started uploading more payloads to the compromised system after the initial installation.

The campaign's threat actors are thought to have used a variety of ScreenConnect subdomains (such as infinity.screenconnect[.]com) to target businesses in Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the United Arab Emirates. On October 23, 2024, Researchers discovered additional attempts to weaponize CVE-2023-48788, this time to run a PowerShell script hosted on a webhook[.]site domain to gather replies from susceptible targets while scanning a machine that was susceptible to the vulnerability.

More than eight months have passed since researchers discovered a similar campaign that used CVE-2023-48788 to distribute Metasploit Powerfun and ScreenConnect payloads. The researchers determined from the study of this incident that the attackers' current methods for deploying remote access tools are evolving and becoming more sophisticated.

Impact

• Code Execution
• Unauthorized Access
• Credential Theft

Indicators of Compromise

IP

• 45.141.84.45

MD5

• fae1061813f2148296767d28262d2c25
• 9c4e8fcf813d2ac9eb906589f801793f
• f3d20449bab41301aefad304cb02773b
• ca564428a29faf1a613f35d9fa36313f
• f6efd0e3b1d30954b1f67bef372bef79
• 29efd64dd3c7fe1e2b022b7ad73a1ba5
• 0f73b467ff03f9224c024f4eb3aecedb
• 77dc1c872f1a1f2fce9c8a09a3f11f40
• 866f4091798cd86c8dfda496e18ee7ea
• 46aacb2243b0e658cb2b835bc8a3ab90

SHA-256

• c7d994eb2042633172bd8866c9f163be531444ce3126d5f340edd25cbdb473d4
• fac12c22f4891b864367b6fd0aaf4554faf9d2be4775f04187fd4e6577fb76f8
• c41216eee9756a1dcc546df4fe97defc05513eed64ce6ac05f1501b50e6f96cc
• 3bb8445c95142da1bda0e3440b53cc70e05a3fe996a77e6dcfb2919fd8878ca9
• 99839c78ee69f81fe0a92d3fea01eb50d7bd47cbaf90fdb64bda9bcfbe29955a
• 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
• e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e
• 2bd68a856123c8564b6b6a3b23cd70584295f21bbe996a9f429b8edeff2226d0
• 196fd50bead058b7fdcde61f99a71fe95e09d304ec23e72691e243085b350303
• 96bbebe2e160ecd69bc9f0190e25a519335a58908bd231715aab1137774868d5

SHA1

• 746710470586076bb0757e0b3875de9c90202be2
• bc29888042d03fe0ffb57fc116585e992a4fdb9b
• 73f8e5c17b49b9f2703fed59cc2be77239e904f7
• 841fff3a36d82c14b044da26967eb2a8f61175a8
• cf1ca6c7f818e72454c923fea7824a8f6930cb08
• e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69
• 75ebd5bab5e2707d4533579a34d983b65af5ec7f
• 83cff3719c7799a3e27a567042e861106f33bb19
• 44b83dd83d189f19e54700a288035be8aa7c8672
• 8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8

URL

• https://trembly.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest
• https://solarnyx2410150445.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest
• http://185.196.9.31:8080/bd7OZy3uMQL-YabI8FHeRw

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Refer to FortiGuard Advisory for patch, upgrade, or suggested workaround information.
• Implement a robust vulnerability management program to regularly scan and identify any potential vulnerabilities in your virtualization environment. Prioritize patching and remediation based on criticality and impact.
• Implement network segmentation to isolate critical systems from other less critical systems. This can help contain the impact of a potential compromise and limit lateral movement within the network.
• Follow the principle of least privilege for user accounts and ensure that only authorized personnel have administrative access. Regularly review and revoke unnecessary privileges to minimize the attack surface.
• Deploy robust security monitoring and intrusion detection systems to detect any suspicious activities or indicators of compromise. Implement real-time log analysis and alerting mechanisms to identify potential unauthorized access attempts.
• Educate users and system administrators about the latest threats, phishing techniques, and social engineering tactics employed by threat actors. Encourage a culture of security awareness and promote safe computing practices.