| Category | Details |
|---|---|
| Threat Actors | – Unknown malicious actors targeting multiple organizations globally. |
| Campaign Overview | – Exploitation of CVE-2023-48788 (SQL injection vulnerability) in Fortinet FortiClient EMS. – Deployed remote desktop tools (e.g., AnyDesk, ScreenConnect) to achieve persistence and facilitate lateral movement. |
| Target Regions | – Organizations across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. |
| Methodology | – Used CVE-2023-48788 for initial access. – Dropped ScreenConnect executables for remote access. – Uploaded additional payloads for discovery, credential theft, defense evasion, and persistence via remote control tools. |
| Product Targeted | – Fortinet FortiClient EMS (Enterprise Management Server) |
| Malware Reference | – AnyDesk and ScreenConnect remote desktop tools – Password recovery tools ( webbrowserpassview.exe, netpass64.exe) – Mimikatz for credential theft |
| Tools Used | – ScreenConnect – AnyDesk – Mimikatz – webbrowserpassview.exe – netpass64.exe – netscan.exe |
| Vulnerabilities Exploited | – CVE-2023-48788 (SQL injection with CVSS score: 9.3) |
| TTPs | – Exploited SQL injection vulnerability for initial access. – Used remote desktop software for persistence. – Conducted network enumeration, credential theft, and defense evasion. |
| Attribution | – No specific attribution; techniques are consistent with advanced threat actors updating methods for complexity and impact. |
| Recommendations | – Patch FortiClient EMS immediately to mitigate CVE-2023-48788. – Monitor and restrict access to ports associated with FortiClient EMS. – Audit systems for unauthorized tools (e.g., AnyDesk, ScreenConnect). – Employ EDR solutions. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/hackers-exploiting-critical-fortinet.html
The above summary has been generated by an AI language model
Leave a Reply