Tuesday, December 17, 2024
HomeCyber Security NewsConnect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

Published on

SIEM as a Service

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.

Dubbed “Connect:fun” by Forescout Research – Vedere Labs, this campaign leverages a critical vulnerability identified as CVE-2023-48788.

The campaign has been active since at least 2022 and has recently been observed exploiting the security management solution with increased vigor.

- Advertisement - SIEM as a Service

The Vulnerability: CVE-2023-48788

CVE-2023-48788 is an SQL injection vulnerability found within Fortinet’s FortiClient EMS. SQL injection is a type of attack that allows an adversary to interfere with an application’s database queries.

It can be used to view data that the attacker cannot normally retrieve, such as user information, or to manipulate database information.

Fortinet published an advisory about this vulnerability on March 12, 2024, and the proof of concept (PoC) for the exploit was made publicly available on March 21, 2024.

This disclosure seemingly acted as a catalyst for increased exploitation attempts by threat actors.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The Connect:fun campaign is particularly notable for its use of ScreenConnect and Powerfun as post-exploitation tools, marking it as Vedere Labs’ first-ever named campaign.

The incident that brought this campaign to light involved a media company whose FortiClient EMS was vulnerable and exposed to the internet.

The attack was not an isolated event. Scanning activity from the IP address 185[.]56[.]83[.]82 was observed targeting FortiClient EMS across various customer networks.

This activity began on March 21 and persisted through several days, indicating a concerted effort by the attackers to exploit the vulnerability across multiple potential victims.

The exploitation of CVE-2023-48788 poses a significant threat to organizations, as it can lead to unauthorized access and control over the FortiClient EMS.

This control can result in further malicious activities, including data theft, lateral movement within the network, and potentially a full-scale breach of the organization’s cyber defenses.

Mitigation and Defense Strategies

In response to the Connect:fun campaign, organizations are urged to take immediate action to protect their networks:

  • Apply the Patch: Fortinet has released a patch to address CVE-2023-48788. Organizations should apply this patch without delay to close the vulnerability.
  • Monitor Traffic: It is crucial to monitor the traffic reaching FortiClient EMS for signs of exploitation. An intrusion detection system (IDS) can be instrumental in identifying and responding to malicious activities.
  • Web Application Firewall (WAF): Deploying a WAF can help block potentially malicious requests and provide an additional layer of security.
  • Leverage IoCs and TTPs: Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) shared by cybersecurity researchers can be used to detect and prevent attacks.

Organizations using Fortinet’s FortiClient EMS must take proactive measures to secure their systems against this and other similar threats.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer.A...

ConnectOnCall Data Breach, 900,000 Customers Data Exposed

 The healthcare communication platform ConnectOnCall, operated by ConnectOnCall.com, LLC, has confirmed a significant data...

Kali Linux 2024.4 Released – What’s New!

Kali Linux has unveiled its final release for 2024, version Kali Linux 2024.4, packed...

CISA Warns of Adobe & Windows Kernel Driver Vulnerabilities Exploited in Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert, adding two...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Hitachi Authentication Bypass Vulnerability Allows Attackers to Hack the System Remotely

Critical Authentication Bypass Vulnerability Identified in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer.A...

ConnectOnCall Data Breach, 900,000 Customers Data Exposed

 The healthcare communication platform ConnectOnCall, operated by ConnectOnCall.com, LLC, has confirmed a significant data...

Kali Linux 2024.4 Released – What’s New!

Kali Linux has unveiled its final release for 2024, version Kali Linux 2024.4, packed...