Threat Research

Widespread Exploitation of Fortinet Vulnerability (CVE-2023-48788)

Securonix

Exploitation of CVE-2023-48788 in FortiClientEMS allows unauthenticated attackers to execute code via an SQL injection, enabling initial access into organizations. eSentire notes that attackers deploy persistence mechanisms such as reverse webshells and ScreenConnect RMM, and warns that without immediate patching these exploits are highly likely to lead to ransomware deployment. #CVE-2023-48788 #FortiClientEMS #ScreenConnect #LockBit

Keypoints

  • CVE-2023-48788 is a SQL injection flaw in FortiClientEMS that enables unauthenticated remote code execution for initial access.
  • The exploitation has become widespread and is considered highly probable to lead to ransomware deployment if not addressed.
  • Threat actors deploy persistence mechanisms, including reverse webshells and the ScreenConnect RMM tool, after gaining access.
  • RMM tools are increasingly misused by threat actors (e.g., to enable lateral movement) and are associated with ransomware groups like LockBit.
  • Mitigation includes patching FortiClientEMS to specific versions and reviewing devices for signs of compromise; consider blocking RMM tools if not legitimately used.
  • Threat hunts, advisories, and vulnerability plugins are part of the ongoing defensive response by eSentire.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Used to gain initial access via a SQL injection flaw; ‘Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial access into organizations.’
  • [T1218.005] Signed Binary Proxy Execution: MSI – The first method utilizes Windows Installer (MSI) files, PowerShell, and Finger, a client-server application that allows a user to interact with a finger server or “daemon,” to deliver the tool; ‘The first method utilizes Windows Installer (MSI) files… to deliver the tool.’
  • [T1059.001] PowerShell – Employed to set up a backdoor via an obfuscated PowerShell command; ‘an obfuscated PowerShell command to setup a backdoor which ultimately deploys the ScreenConnect tool.’
  • [T1505.003] Web Shell – Persistence mechanisms include reverse webshells used to maintain presence; ‘reverse webshells’
  • [T1021] Remote Services – Use of ScreenConnect Remote Monitoring and Management (RMM) tool for persistence and potential lateral movement; ‘ScreenConnect Remote Monitoring and Management (RMM) tool’

Indicators of Compromise

  • [IOC Type] IP Address – 185.56.83[.]82 (Command and Control IP Address)
  • [IOC Type] IP Address – 95.179.241[.]10 (ScreenConnect Hosting IP Address)

Read more: https://www.esentire.com/security-advisories/widespread-exploitation-of-fortinet-vulnerability-cve-2023-48788