April 19, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple Google Chrome Vulnerabilities
April 18, 2024
Multiple IBM WebSphere Vulnerabilities
April 18, 2024
Multiple Google Chrome Vulnerabilities
April 18, 2024
Multiple IBM WebSphere Vulnerabilities
April 18, 2024
Severity
High
Analysis Summary
Cybersecurity researchers have uncovered a new campaign exploiting a recently revealed security vulnerability in Fortinet FortiClient EMS devices. This flaw, identified as CVE-2023-48788 with a CVSS score of 9.3, enables attackers to execute unauthorized code or commands through specially crafted requests. Dubbed Connect:fun, the campaign employs ScreenConnect and Metasploit Powerfun payloads for post-exploitation activities.
The attack was observed targeting an undisclosed media company that had its vulnerable FortiClient EMS device exposed to the internet shortly after the disclosure of a proof-of-concept (PoC) exploit on March 21, 2024. Over the ensuing days, the threat actor attempted to exploit the flaw to download ScreenConnect unsuccessfully. However, on March 25, they successfully executed PowerShell code to download Metasploit's Powerfun script and established a reverse connection to another IP address.
"On March 21, server logs show that the threat actor tried to achieve command execution via a sequence of commands to enable advanced configuration options and the xp_cmdshell stored procedure in SQL Server," said the researchers.
Additionally, the attackers utilized SQL statements to download ScreenConnect from a remote domain using certutil subsequently installing it via msiexec and establishing connections with a command-and-control (C2) server. Evidence suggests that the threat actor has been active since at least 2022, displaying a preference for targeting Fortinet appliances and employing Vietnamese and German languages in their infrastructure.
The observed activity indicates a manual component, evidenced by multiple failed attempts to download and install tools as well as the considerable time intervals between attempts. This suggests a targeted campaign rather than automated cybercriminal botnet activity. Furthermore, the attack shares similarities with other incidents documented in March 2024 involving the exploitation of CVE-2023-48788 to download ScreenConnect and Atera.
To mitigate potential threats, organizations are advised to apply patches provided by Fortinet promptly, monitor for suspicious traffic, and utilize web application firewalls (WAFs) to block potentially malicious requests.
Impact
- Unauthorized Remote Access
- Code Execution
- Data Manipulation
Indicators of Compromise
IP
- 144.202.21.16
- 185.56.83.82
- 95.179.241.10
- 45.77.160.195
MD5
- 677fce647b0d8c2302d105080e477395
- 8d35f3ca2e59b85c8c8caed123a4f6cd
- 47665e8312db9c33a0045bd160724d5c
SHA-256
- 6558bbd0e08a187d17d7c2e1ba2a31080a86961a5a0c5c60babacf40f1dedade
- 8ef318fa5dba85344f79f7e4a7b022d09d99bbd36d5e8aa5353018c867e85b2c
- bd6bb6687318160d203eeb3e656f936b502557202c2054310768c560ba7e7822
SHA-1
- cbe8769f7d6217af0f074bc70967d4de6ad4ef33
- 54ee7e40bab670bc2fdc5dbd7787d705d643b0f9
- c377cf1efe28343422e63de2cdee5ede65148c74
URL
- http://45.227.255.213/
- http://68.178.202.116/
Remediation
- Refer to FortiGuard Advisory for patch, upgrade, or suggested workaround information.
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Be vigilant when downloading software and double-check the URL to see if it is legitimate.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.