Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign

Cybersecurity researchers have discovered a new campaign that’s exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.

The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.

Cybersecurity firm Forescout is tracking the campaign under the codename Connect:fun owing to the use of ScreenConnect and Powerfun for post-exploitation.

The intrusion targeted an unnamed media company that had its vulnerable FortiClient EMS device exposed to the internet shortly after the release of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.

Over the next couple of days, the unknown adversary was observed leveraging the flaw to unsuccessfully download ScreenConnect and then install the remote desktop software using the msiexec utility.

However, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit’s Powerfun script and initiated a reverse connection to another IP address.

Also detected were SQL statements designed to download ScreenConnect from a remote domain (“ursketz[.]com”) using certutil, which was then installed via msiexec before establishing connections with a command-and-control (C2) server.

There is evidence to suggest that the threat actor behind it has been active since at least 2022, specifically singling out Fortinet appliances and using Vietnamese and German languages in their infrastructure.

“The observed activity clearly has a manual component evidenced by all the failed attempts to download and install tools, as well as the relatively long time taken between attempts,” security researcher Sai Molige said.

“This is evidence that this activity is part of a specific campaign, rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances.”

Forescout said the attack shares tactical and infrastructure overlaps with other incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that involve the abuse of CVE-2023-48788 to download ScreenConnect and Atera.

Organizations are recommended to apply patches provided by Fortinet to address potential threats, monitor for suspicious traffic, and use a web application firewall (WAF) to block potentially malicious requests.