A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.
Dubbed “Connect:fun” by Forescout Research – Vedere Labs, this campaign leverages a critical vulnerability identified as CVE-2023-48788.
The campaign has been active since at least 2022 and has recently been observed exploiting the security management solution with increased vigor.
The Vulnerability: CVE-2023-48788
CVE-2023-48788 is an SQL injection vulnerability found within Fortinet’s FortiClient EMS. SQL injection is a type of attack that allows an adversary to interfere with an application’s database queries.
It can be used to view data that the attacker cannot normally retrieve, such as user information, or to manipulate database information.
Fortinet published an advisory about this vulnerability on March 12, 2024, and the proof of concept (PoC) for the exploit was made publicly available on March 21, 2024..
This disclosure seemingly acted as a catalyst for increased exploitation attempts by threat actors..
The Connect:fun campaign is particularly notable for its use of ScreenConnect and Powerfun as post-exploitation tools, marking it as Vedere Labs’ first-ever named campaign..
The incident that brought this campaign to light involved a media company whose FortiClient EMS was vulnerable and exposed to the internet..
The attack was not an isolated event. Scanning activity from the IP address 185[.]56[.]83[.]82 was observed targeting FortiClient EMS across various customer networks.
This activity began on March 21 and persisted through several days, indicating a concerted effort by the attackers to exploit the vulnerability across multiple potential victims.
The exploitation of CVE-2023-48788 poses a significant threat to organizations, as it can lead to unauthorized access and control over the FortiClient EMS..
This control can result in further malicious activities, including data theft, lateral movement within the network, and potentially a full-scale breach of the organization’s cyber defenses.
Mitigation And Defense Strategies.
In response to the Connect:fun campaign, organizations are urged to take immediate action to protect their networks:.
Apply the Patch: Fortinet has released a patch to address CVE-2023-48788. Organizations should apply this patch without delay to close the vulnerability.
Monitor Traffic: It is crucial to monitor the traffic reaching FortiClient EMS for signs of exploitation. An intrusion detection system (IDS) can be instrumental in identifying and responding to malicious activities.
Web Application Firewall (WAF): Deploying a WAF can help block potentially malicious requests and provide an additional layer of security.
Leverage IoCs and TTPs: Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) shared by cybersecurity researchers can be used to detect and prevent attacks.
Organizations using Fortinet’s FortiClient EMS must take proactive measures to secure their systems against this and other similar threats. .
Dubbed “Connect:fun” by Forescout Research – Vedere Labs, this campaign leverages a critical vulnerability identified as CVE-2023-48788.
The campaign has been active since at least 2022 and has recently been observed exploiting the security management solution with increased vigor.
The Vulnerability: CVE-2023-48788
CVE-2023-48788 is an SQL injection vulnerability found within Fortinet’s FortiClient EMS. SQL injection is a type of attack that allows an adversary to interfere with an application’s database queries.
It can be used to view data that the attacker cannot normally retrieve, such as user information, or to manipulate database information.
Fortinet published an advisory about this vulnerability on March 12, 2024, and the proof of concept (PoC) for the exploit was made publicly available on March 21, 2024..
This disclosure seemingly acted as a catalyst for increased exploitation attempts by threat actors..
The Connect:fun campaign is particularly notable for its use of ScreenConnect and Powerfun as post-exploitation tools, marking it as Vedere Labs’ first-ever named campaign..
The incident that brought this campaign to light involved a media company whose FortiClient EMS was vulnerable and exposed to the internet..
The attack was not an isolated event. Scanning activity from the IP address 185[.]56[.]83[.]82 was observed targeting FortiClient EMS across various customer networks.
This activity began on March 21 and persisted through several days, indicating a concerted effort by the attackers to exploit the vulnerability across multiple potential victims.
The exploitation of CVE-2023-48788 poses a significant threat to organizations, as it can lead to unauthorized access and control over the FortiClient EMS..
This control can result in further malicious activities, including data theft, lateral movement within the network, and potentially a full-scale breach of the organization’s cyber defenses.
Mitigation And Defense Strategies.
In response to the Connect:fun campaign, organizations are urged to take immediate action to protect their networks:.
Apply the Patch: Fortinet has released a patch to address CVE-2023-48788. Organizations should apply this patch without delay to close the vulnerability.
Monitor Traffic: It is crucial to monitor the traffic reaching FortiClient EMS for signs of exploitation. An intrusion detection system (IDS) can be instrumental in identifying and responding to malicious activities.
Web Application Firewall (WAF): Deploying a WAF can help block potentially malicious requests and provide an additional layer of security.
Leverage IoCs and TTPs: Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) shared by cybersecurity researchers can be used to detect and prevent attacks.
Organizations using Fortinet’s FortiClient EMS must take proactive measures to secure their systems against this and other similar threats. .
