| Category | Details |
|---|---|
| Threat Actors | - Unknown malicious actors targeting multiple organizations globally. |
| Campaign Overview | - Exploitation of CVE-2023-48788 (SQL injection vulnerability) in Fortinet FortiClient EMS. - Deployed remote desktop tools (e.g., AnyDesk, ScreenConnect) to achieve persistence and facilitate lateral movement. |
| Target Regions | - Organizations across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. |
| Methodology | - Used CVE-2023-48788 for initial access. - Dropped ScreenConnect executables for remote access. - Uploaded additional payloads for discovery, credential theft, defense evasion, and persistence via remote control tools. |
| Product Targeted | - Fortinet FortiClient EMS (Enterprise Management Server) |
| Malware Reference | - AnyDesk and ScreenConnect remote desktop tools - Password recovery tools ( webbrowserpassview.exe, netpass64.exe) - Mimikatz for credential theft |
| Tools Used | - ScreenConnect - AnyDesk - Mimikatz - webbrowserpassview.exe - netpass64.exe - netscan.exe |
| Vulnerabilities Exploited | - CVE-2023-48788 (SQL injection with CVSS score: 9.3) |
| TTPs | - Exploited SQL injection vulnerability for initial access. - Used remote desktop software for persistence. - Conducted network enumeration, credential theft, and defense evasion. |
| Attribution | - No specific attribution; techniques are consistent with advanced threat actors updating methods for complexity and impact. |
| Recommendations | - Patch FortiClient EMS immediately to mitigate CVE-2023-48788. - Monitor and restrict access to ports associated with FortiClient EMS. - Audit systems for unauthorized tools (e.g., AnyDesk, ScreenConnect). - Employ EDR solutions. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2024/12/hackers-exploiting-critical-fortinet.html
The above summary has been generated by an AI language model
Leave a Reply