Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS

Researchers from Forescout Research – Vedere Labs have uncovered an exploitation campaign targeting organizations utilizing Fortinet’s FortiClient EMS, which is susceptible to CVE-2023-48788. This campaign, dubbed ‘Connect:fun,’ is named for the use of ScreenConnect and Powerfun as post-exploitation tools, marking it as Forescout’s initial named campaign. 

The incident involved a media company affected by CVE-2023-48788, with indications suggesting a potential threat actor active since at least 2022, focusing on Fortinet appliances and utilizing Vietnamese and German languages within their infrastructure. The team is actively monitoring this infrastructure and plans to provide further updates on this threat actor in upcoming reports. They also share evidence pointing to a possible threat actor who has been active since at least 2022. The attacker has been targeting Fortinet appliances and using Vietnamese and German languages in their infrastructure.  

“On March 12, 2024, Fortinet published an advisory about CVE-2023-48788, a SQL injection vulnerability in its Fortinet’s FortiClient EMS security management solution,” Sai Molige identified in the report titled ‘Connect:fun: Detailing an exploitation campaign targeting FortiClient EMS via CVE-2023-48788’. “On March 21, researchers released a proof of concept (PoC) exploit for the vulnerability, and since then, there have been reports of exploits in the wild leading CISA to add the CVE to its list of Known Exploited Vulnerabilities (KEV) on March 25.”

Also, on March 25, U.S. security agencies published a joint Secure by Design (SbD) alert in response to a recent, exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. Additionally, the alert highlights the prevalence of this class of vulnerability. Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk.

Earlier this month, Vedere Labs researchers revealed that U.S. networks have experienced a significant 40 percent year-on-year increase in Chinese-made devices, despite official bans. Critical infrastructure organizations are among those that use the highest numbers of such devices and some of these industries more than doubled the number of Chinese-manufactured devices in their networks in one year. 

Molige said that the team observed the same IP address used for initial access scanning for FortiClient EMS in other customer networks beginning March 21 and continuing until March 28. “This was also seen in customers who do not use FortiClient EMS in their environment, but who use other VPN applications. However, we do not see indiscriminate automated exploitation attempts on honeypots, as we have seen in the past with other vulnerabilities on edge devices.” 

He added that the observed activity has a manual component. This is evidence that this activity is part of a specific campaign, rather than an exploit included in automated cybercriminal botnets. 

“From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances,” according to the Connect:fun report. “Other cybersecurity companies have also seen similar incidents with manual exploitation of CVE-2023-48788 to download similar software, including IP addresses and infrastructure that intersect with our observations. In addition to the incident details, we share TTPs and IoCs employed by the threat actor with detection opportunities, as well as log collection and threat hunting opportunities for security teams.”

The Connect:fun report added “On April 4, we saw hundreds of hosts exposed to the internet running FortiClient EMS. Based on the Shodan information, 21% of hosts are in the United States, 10% in Australia, and between 5% and 6% are in Germany, China, and the Netherlands — with the remaining 51% spread around the world. Many of these hosts are in educational or governmental institutions.”

To mitigate against exploitation of CVE-2023-48788, Forescout called upon organizations to ensure that the traffic reaching FortiClient EMS is constantly monitored for signs of exploitation by using an intrusion detection system (IDS); consider using a web application firewall (WAF) to block potentially malicious requests; and use the IoCs and TTPs for threat detection and hunting in the network.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.