eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Beginning on March 24th, 2024, eSentire observed a significant increase in exploitation of CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial access into organizations.
In incidents identified by eSentire, threat actors exploited CVE-2023-48788 for initial access into victim networks. After access was established, threat actors deployed persistence mechanisms, including reverse webshells and the ScreenConnect Remote Monitoring and Management (RMM) tool. Attacks were disrupted before threat actors completed their action on objectives, as such, final payloads have not been identified.
Exploitation of CVE-2023-48788 is now considered to be widespread. Based on observed tactics, the eSentire Threat Intelligence team assesses that it is highly probable, that if not addressed, attacks exploiting the vulnerability will result in ransomware deployment. Due to these considerations, immediate patching is critical, and all potentially impacted devices should be reviewed for signs of compromise.
What we’re doing about it
Recently identified incidents were detected via eSentire MDR for Endpoint, powered by BlueSteel
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2023-48788
Known malicious IP addresses are blocked via the eSentire Global Block List
The eSentire Threat Intelligence team has performed threat hunts across the client base
eSentire’s Threat Response Unit (TRU) is actively reviewing both Proof-of-Concept (PoC) exploit code, and observed incidents, for additional detection opportunities
eSentire released an advisory for CVE-2023-48788 on March 14th
What you should do about it
After performing a business impact review, apply the relevant security patches immediately
CVE-2023-48788 impacts the following versions:
FortiClientEMS 7.2.0 through 7.2.2 (Upgrade to 7.2.3 or above)
FortiClientEMS 7.0.1 through 7.0.10 (Upgrade to 7.0.11 or above)
Any devices that were not patched prior to March 21st, should be reviewed for signs of malicious activity
Consider blocking Remote Monitoring and Management tools, such as ConnectWise ScreenConnect, if they are not legitimately used in your environment
Additional information
CVE-2023-48788 was initially disclosed by Fortinet on March 12th, 2024. On March 21st, Fortinet updated their advisory to add that exploitation in the wild had been observed; no additional details were shared at the time. On the same day, Horizon3.ai released technical details on the vulnerability as well as Proof-of-Concept (PoC) exploit code. The release of PoC exploit code significantly lowers the barriers for vulnerability exploitation and allows even low-skilled threat actors to exploit complex vulnerabilities. As of March 25th, CISA has added CVE-2023-48788 to the Known Exploited Vulnerabilities Catalog; government agencies have been given until April 15th, to ensure all impacted devices are remediated.
RMM tools, including ScreenConnect, are increasingly being misused by threat actors. Ransomware groups, such as LockBit, employ these tools to enable lateral movement and the targeting of downstream customers. These tools are beneficial to threat actors as they are not specifically malicious and are less likely to be detected compared to custom tools. For more information on the abuse of RMM tools by threat actors, see the October 2023 TRU Intelligence Briefing.
Based on eSentire observations, threat actors are now exploiting CVE-2023-48788 and using multiple methods to deliver the ScreenConnect RMM tool. The first method utilizes Windows Installer (MSI) files, PowerShell, and Finger, a client-server application that allows a user to interact with a finger server or “daemon,” to deliver the tool (Figures 1-2). The other method relies solely on an obfuscated PowerShell command to setup a backdoor which ultimately deploys the ScreenConnect tool (Figures 3-6). Figure 5 shows an updated version of Ben Turner’s & Dave Hardy’s Powerfun Script. A very similar script was observed by The DFIR Report in their article titled From ScreenConnect to Hive Ransomware in 61 hours. While eSentire has not observed ransomware deployment, as a result of CVE-2023-48788 exploitation, Fortinet vulnerabilities have been a common initial access vector for ransomware groups.
Figure 1. Fortinet FortiClientEMS (FcmDaemon.exe) accepted multiple connections from a threat actor-controlled IP Figure 2. Post Compromise activity leading to ScreenConnect DeploymentFigure 3. Exploitation leading to the execution of an obfuscated PowerShell CommandFigure 4. Obfuscated PowerShell CommandFigure 5. Deobfuscated PowerShell CommandFigure 6. PowerShell leading to the deployment of ScreenConnect
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
