Realistic depiction of a modern, generic firewall appliance, compactly mounted in a data center rack, with multiple network cables and illuminated blue LED indicators, emphasizing its role in network security.

Recent investigations by cybersecurity researchers have unveiled a new campaign exploiting a critical security flaw in Fortinet FortiClient EMS devices. This flaw, identified as CVE-2023-48788 and rated 9.3 on the Common Vulnerability Scoring System (CVSS), allows an unauthenticated attacker to execute unauthorized code through specially crafted requests. The discovery follows closely after the public release of a proof-of-concept exploit on March 21, 2024.

Cybersecurity firm Forescout is closely monitoring the situation under the codename Connect:fun, referencing the use of ScreenConnect and Metasploit’s Powerfun script for post-exploitation actions. The attackers targeted an unnamed media company, exploiting the vulnerability to install remote desktop software and initiate unauthorized commands.

Attack Timeline and Techniques

After the initial exposure of the vulnerability, attackers attempted to use the flaw to download ScreenConnect using the msiexec utility. Despite initial failures, by March 25, they successfully executed PowerShell code to download and deploy Powerfun, establishing a reverse connection to a foreign IP address. Furthermore, attackers executed SQL statements to fetch ScreenConnect from a suspicious domain, subsequently installing it and connecting to a command-and-control server.

Threat Actor Profile and Previous Activity

Evidence suggests that the threat actor involved has been active since at least 2022, focusing on Fortinet appliances and utilizing infrastructure in both Vietnamese and German languages. “The observed activity indicates manual intervention by the attackers, evident from multiple failed attempts and the significant time lapse between them,” explained Sai Molige, a security researcher. “This campaign appears targeted, moving away from the patterns of automated cybercriminal botnets, which typically involve mass scanning.”

Wider Security Implications and Federal Response

This campaign has been linked to other incidents reported by cybersecurity entities like Palo Alto Networks’ Unit 42 and Blumira. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded by adding CVE-2023-48788 and other vulnerabilities to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by April 15, 2024. The listed vulnerabilities also include a severe code injection flaw in Ivanti Endpoint Manager (CVE-2021-44529) and a command injection vulnerability in Nice Linear eMerge E3-Series (CVE-2019-7256).

Ongoing Developments and Advisory Updates

Fortinet has updated its advisory to confirm that the vulnerability has been actively exploited. The details of these attacks remain under investigation. Meanwhile, CVE-2021-44529, linked to Ivanti Endpoint Manager, was discovered to potentially stem from an intentional backdoor in an open-source project, fixed in late 2021.

In a related development, CISA and the FBI have issued a joint alert to software manufacturers, highlighting the need for rigorous mitigation of SQL injection vulnerabilities, showcased by the exploitation of a critical flaw in Progress Software’s MOVEit Transfer by the Cl0p ransomware group.

This series of events underscores the persistent threat landscape facing modern enterprises and the continuous need for vigilance and prompt action in cybersecurity practices.