THE THREAT
Beginning on March 24th, 2024, eSentire observed a significant increase in exploitation of CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial access into organizations.
In incidents identified by eSentire, threat actors exploited CVE-2023-48788 for initial access into victim networks. After access was established, threat actors deployed persistence mechanisms, including reverse webshells and the ScreenConnect Remote Monitoring and Management (RMM) tool. Attacks were disrupted before threat actors completed their action on objectives, as such, final payloads have not been identified.
Exploitation of CVE-2023-48788 is now considered to be widespread. Based on observed tactics, the eSentire Threat Intelligence team assesses that it is highly probable, that if not addressed, attacks exploiting the vulnerability will result in ransomware deployment. Due to these considerations, immediate patching is critical, and all potentially impacted devices should be reviewed for signs of compromise.
What we’re doing about it
- Recently identified incidents were detected via eSentire MDR for Endpoint, powered by BlueSteel
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2023-48788
- Known malicious IP addresses are blocked via the eSentire Global Block List
- The eSentire Threat Intelligence team has performed threat hunts across the client base
- eSentire’s Threat Response Unit (TRU) is actively reviewing both Proof-of-Concept (PoC) exploit code, and observed incidents, for additional detection opportunities
- eSentire released an advisory for CVE-2023-48788 on March 14th
What you should do about it
- After performing a business impact review, apply the relevant security patches immediately
- CVE-2023-48788 impacts the following versions:
- FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above)
- FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above)
- CVE-2023-48788 impacts the following versions:
- Any devices that were not patched prior to March 21st, should be reviewed for signs of malicious activity
- Consider blocking Remote Monitoring and Management tools, such as ConnectWise ScreenConnect, if they are not legitimately used in your environment
Additional information
CVE-2023-48788 was initially disclosed by Fortinet on March 12th, 2024. On March 21st, Fortinet updated their advisory to add that exploitation in the wild had been observed; no additional details were shared at the time. On the same day, Horizon3.ai released technical details on the vulnerability as well as Proof-of-Concept (PoC) exploit code. The release of PoC exploit code significantly lowers the barriers for vulnerability exploitation and allows even low-skilled threat actors to exploit complex vulnerabilities. As of March 25th, CISA has added CVE-2023-48788 to the Known Exploited Vulnerabilities Catalog; government agencies have been given until April 15th, to ensure all impacted devices are remediated.
RMM tools, including ScreenConnect, are increasingly being misused by threat actors. Ransomware groups, such as LockBit, employ these tools to enable lateral movement and the targeting of downstream customers. These tools are beneficial to threat actors as they are not specifically malicious and are less likely to be detected compared to custom tools. For more information on the abuse of RMM tools by threat actors, see the October 2023 TRU Intelligence Briefing.
Based on eSentire observations, threat actors are now exploiting CVE-2023-48788 and using multiple methods to deliver the ScreenConnect RMM tool. The first method utilizes Windows Installer (MSI) files, PowerShell, and Finger, a client-server application that allows a user to interact with a finger server or “daemon,” to deliver the tool (Figures 1-2). The other method relies solely on an obfuscated PowerShell command to setup a backdoor which ultimately deploys the ScreenConnect tool (Figures 3-6). Figure 5 shows an updated version of Ben Turner’s & Dave Hardy’s Powerfun Script. A very similar script was observed by The DFIR Report in their article titled From ScreenConnect to Hive Ransomware in 61 hours. While eSentire has not observed ransomware deployment, as a result of CVE-2023-48788 exploitation, Fortinet vulnerabilities have been a common initial access vector for ransomware groups.
Indicators of Compromise |
|
185.56.83[.]82 |
Command and Control IP Address |
95.179.241[.]10 |
ScreenConnect Hosting IP Address |
References:
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-48788
[2] https://www.esentire.com/security-advisories/critical-fortinet-vulnerability-disclosed
[3] https://fortiguard.fortinet.com/psirt/FG-IR-24-007
[4] https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/
[5] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[6] https://www.esentire.com/resources/library/october-2023-tru-intelligence-briefing-on-demand
[7] https://github.com/davehardy20/PowerShell-Scripts/blob/master/Invoke-Powerfun.ps1
[8] https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
[9] https://www.esentire.com/blog/hackers-exploit-fortinet-devices-to-spread-ransomware-within-corporate-environments-warns-esentire