Connect:fun Attacking Organizations Running Fortinet’s FortiClient EMS

A new exploit campaign has emerged, targeting organizations that utilize Fortinet’s FortiClient EMS.

Dubbed “Connect:fun” by Forescout Research – Vedere Labs, this campaign leverages a critical vulnerability identified as CVE-2023-48788.

The campaign has been active since at least 2022 and has recently been observed exploiting the security management solution with increased vigor.

The Vulnerability: CVE-2023-48788

CVE-2023-48788 is an SQL injection vulnerability found within Fortinet’s FortiClient EMS. SQL injection is a type of attack that allows an adversary to interfere with an application’s database queries.

It can be used to view data that the attacker cannot normally retrieve, such as user information, or to manipulate database information.

Fortinet published an advisory about this vulnerability on March 12, 2024, and the proof of concept (PoC) for the exploit was made publicly available on March 21, 2024.

This disclosure seemingly acted as a catalyst for increased exploitation attempts by threat actors.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

The Connect:fun campaign is particularly notable for its use of ScreenConnect and Powerfun as post-exploitation tools, marking it as Vedere Labs’ first-ever named campaign.

The incident that brought this campaign to light involved a media company whose FortiClient EMS was vulnerable and exposed to the internet.

The attack was not an isolated event. Scanning activity from the IP address 185[.]56[.]83[.]82 was observed targeting FortiClient EMS across various customer networks.

This activity began on March 21 and persisted through several days, indicating a concerted effort by the attackers to exploit the vulnerability across multiple potential victims.

The exploitation of CVE-2023-48788 poses a significant threat to organizations, as it can lead to unauthorized access and control over the FortiClient EMS.

This control can result in further malicious activities, including data theft, lateral movement within the network, and potentially a full-scale breach of the organization’s cyber defenses.

Mitigation and Defense Strategies

In response to the Connect:fun campaign, organizations are urged to take immediate action to protect their networks:

  • Apply the Patch: Fortinet has released a patch to address CVE-2023-48788. Organizations should apply this patch without delay to close the vulnerability.
  • Monitor Traffic: It is crucial to monitor the traffic reaching FortiClient EMS for signs of exploitation. An intrusion detection system (IDS) can be instrumental in identifying and responding to malicious activities.
  • Web Application Firewall (WAF): Deploying a WAF can help block potentially malicious requests and provide an additional layer of security.
  • Leverage IoCs and TTPs: Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) shared by cybersecurity researchers can be used to detect and prevent attacks.

Organizations using Fortinet’s FortiClient EMS must take proactive measures to secure their systems against this and other similar threats.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

1 day ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

1 day ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

1 day ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

1 day ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

1 day ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

1 day ago