Attackers exploiting a FortiClient EMS vulnerability in the wild

SUMMARY :

Kaspersky's GERT team identified an attack exploiting a patched vulnerability (CVE-2023-48788) in FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. The attackers used SQL injection to infiltrate a company's network through an exposed Windows server. They deployed remote access tools like ScreenConnect and AnyDesk, performed network enumeration, credential theft, and defense evasion. The vulnerability allows unauthorized code execution via specially crafted data packets. Multiple threat actors have been observed exploiting this vulnerability globally, targeting various companies and consistently altering ScreenConnect subdomains. The analysis highlights the importance of timely patching and implementing additional security controls to prevent such attacks.

OPENCTI LABELS :

lateral movement,mimikatz,sql injection,credential theft,remote access,screenconnect,forticlient ems,anydesk,cve-2023-48788


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Attackers exploiting a FortiClient EMS vulnerability in the wild