FortiClient EMS Exploited: Analyzing the Attack Chain and Post-Exploitation Tactics

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Exploitation of CVE-2023-48788 to gain initial access to the network. “Exploitation of CVE-2023-48788 to gain initial access to the network.”
• [T1587.003] Develop Capabilities: Digital Certificates – Utilization of digital certificates for malicious purposes. “Utilization of digital certificates for malicious purposes.”
• [T1608.003] Stage Capabilities: Install Digital Certificate – Installation of certificates to facilitate command and control activities. “Installation of certificates to facilitate command and control activities.”
• [T1071.001] Application Layer Protocol: Web Protocols – Use of web protocols for command and control communications. “Use of web protocols for command and control communications.”
• [T1219] Remote Access Software – Installation of RMM tools for maintaining access and control. “Installation of RMM tools for maintaining access and control.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – Execution of PowerShell commands for malicious activities. “Execution of PowerShell commands for malicious activities.”
• [T1595] Active Scanning – Use of tools like Nmap for network scanning and reconnaissance. “Use of tools like Nmap for network scanning and reconnaissance.”
• [T1590.005] Gather Victim Network Information: IP Addresses – Gathering information about the victim’s network structure. “Gathering information about the victim’s network structure.”
• [T1046] Network Service Discovery – Discovery of network services for lateral movement. “Discovery of network services for lateral movement.”
• [T1110] Brute Force – Brute force attempts to gain access to accounts. “Brute force attempts to gain access to accounts.”
• [T1078] Valid Accounts – Use of valid accounts for maintaining access. “Use of valid accounts for maintaining access.”
• [T1021.002] Remote Services: SMB/Windows Admin Shares – Use of SMB for lateral movement between devices. “Use of SMB for lateral movement between devices.”
• [T1021.003] Remote Services: Distributed Component Object Model – Exploitation of DCE-RPC for lateral movement. “Exploitation of DCE-RPC for lateral movement.”
• [T1569.002] System Services: Service Execution – Execution of services for malicious purposes. “Execution of services for malicious purposes.”
• [T1047] Windows Management Instrumentation – Use of WMI for executing commands remotely. “Use of WMI for executing commands remotely.”
• [T1041] Exfiltration Over C2 Channel – Data exfiltration through command and control channels. “Data exfiltration through command and control channels.”
• [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Uploading sensitive data to cloud storage services. “Uploading sensitive data to cloud storage services.”