Attackers leveraged a Windows server exposed to the internet used for downloading policies that grant employees secure access to the Fortinet VPN.
An active exploitation of a patched vulnerability in Fortinet's FortiClient EMS system was observed. Tracked as CVE-2023-48788, it involves improper filtering of SQL input commands, leaving systems susceptible to SQL injection attacks.
Affected FortiClient EMS versions include 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. If successfully exploited, attackers can execute unauthorized code or commands by sending specially crafted data packets to vulnerable systems, according to security researchers from Kaspersky's Global Emergency Response Team (GERT).
Despite a patch being available at the time of the attacks, the exploitation serves as a stark reminder of the importance of timely updates and robust patch management.
Telemetry from the company's Managed Detection and Response (MDR) services detected suspicious activity originating from an internal IP address within a customer's network.
The attackers targeted administrative shares and attempted to access registry hives using an admin account on a Windows server exposed to the internet. The system in question utilized vulnerable versions of FortiClient EMS, which allowed employees to download specific policies to their devices for secure VPN access.
Further investigation revealed that the attackers had used an SQL injection to compromise the system and execute commands via a crafted Base64-encoded URL. They subsequently uploaded additional payloads to carry out discovery and lateral movement activities.
These included enumerating network resources, attempting to obtain credentials, employing defense evasion techniques, and establishing persistence using AnyDesk -- a popular remote monitoring and management (RMM) tool. Other tools, such as the HRSword.exe (Huorong Internet Security), were also used for evasion.
The attackers employed various second-stage payloads and frequently modified ScreenConnect subdomains, likely to tailor their methods across different targets.
The exploitation timeline underscores that multiple parties capitalized on the vulnerability despite the availability of official patches from Fortinet.
Recently, a sophisticated phishing campaign that leverages MSC (Microsoft Common Console Document) files and advanced obfuscation techniques to deliver stealthy backdoor payloads was seen targeting Pakistan via tax-themed lures in PDF form.