Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

https://firewall.firm.in/wp-content/uploads/2024/12/cyberattack.png

Dec 20, 2024Ravie LakshmananVulnerability / Cyber Attack

Critical Fortinet EMS Vulnerability

A now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect.

The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.

Russian cybersecurity firm Kaspersky said the October 2024 attack targeted an unnamed company’s Windows server that was exposed to the internet and had two open ports associated with FortiClient EMS.

Cybersecurity

“The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN,” it said in a Thursday analysis.

Further analysis of the incident found that the threat actors took advantage of CVE-2023-48788 as an initial access vector, subsequently dropping a ScreenConnect executable to obtain remote access to the compromised host.

“After the initial installation, the attackers began to upload additional payloads to the compromised system, to begin discovery and lateral movement activities, such as enumerating network resources, trying to obtain credentials, perform defense evasion techniques, and generating a further type of persistence via the AnyDesk remote control tool,” Kaspersky said.

Some of the other notable tools dropped over the course of the attack are listed below –

  • webbrowserpassview.exe, a password recovery tool that reveals passwords stored in Internet Explorer (version 4.0 – 11.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera
  • Mimikatz
  • netpass64.exe, a password recovery tool
  • netscan.exe, a network scanner

The threat actors behind the campaign are believed to have targeted various companies located across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. by making use of different ScreenConnect subdomains (e.g., infinity.screenconnect[.]com).

Cybersecurity

Kaspersky said it detected further attempts to weaponize CVE-2023-48788 on October 23, 2024, this time to execute a PowerShell script hosted on a webhook[.]site domain in order to “collect responses from vulnerable targets” during a scan of a system susceptible to the flaw.

The disclosure comes more than eight months after cybersecurity company Forescout uncovered a similar campaign that involved exploiting CVE-2023-48788 to deliver ScreenConnect and Metasploit Powerfun payloads.

“The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity,” the researchers said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

Juniper Firewall
Cisco Firewall
Checkpoint Firewall
paloalto Firewall
Fortinet Firewall
Forcepoint Firewall

 

Sophos Firewall
WatchGuard Firewall
Barracuda Firewall
Sonicwall Firewall
GajShield Firewall
Seqrite Firewall

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket

Firewall Firm is a Managed Firewall Security Solution Provider Company in India | Digital Marketing by SEO Company India | Powered by IT Monteur