Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

The Hacker News by The Hacker News
December 20, 2024
Home Cybersecurity
Share on FacebookShare on Twitter


Dec 20, 2024Ravie LakshmananVulnerability / Cyber Attack

A now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect.

The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.

Russian cybersecurity firm Kaspersky said the October 2024 attack targeted an unnamed company’s Windows server that was exposed to the internet and had two open ports associated with FortiClient EMS.

Cybersecurity

“The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN,” it said in a Thursday analysis.

Further analysis of the incident found that the threat actors took advantage of CVE-2023-48788 as an initial access vector, subsequently dropping a ScreenConnect executable to obtain remote access to the compromised host.

“After the initial installation, the attackers began to upload additional payloads to the compromised system, to begin discovery and lateral movement activities, such as enumerating network resources, trying to obtain credentials, perform defense evasion techniques, and generating a further type of persistence via the AnyDesk remote control tool,” Kaspersky said.

Some of the other notable tools dropped over the course of the attack are listed below –

  • webbrowserpassview.exe, a password recovery tool that reveals passwords stored in Internet Explorer (version 4.0 – 11.0), Mozilla Firefox (all versions), Google Chrome, Safari, and Opera
  • Mimikatz
  • netpass64.exe, a password recovery tool
  • netscan.exe, a network scanner

The threat actors behind the campaign are believed to have targeted various companies located across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. by making use of different ScreenConnect subdomains (e.g., infinity.screenconnect[.]com).

Cybersecurity

Kaspersky said it detected further attempts to weaponize CVE-2023-48788 on October 23, 2024, this time to execute a PowerShell script hosted on a webhook[.]site domain in order to “collect responses from vulnerable targets” during a scan of a system susceptible to the flaw.

The disclosure comes more than eight months after cybersecurity company Forescout uncovered a similar campaign that involved exploiting CVE-2023-48788 to deliver ScreenConnect and Metasploit Powerfun payloads.

“The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity,” the researchers said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Interview: Wendy Redshaw, chief digital information officer, NatWest Retail Bank | Computer Weekly

Interview: Wendy Redshaw, chief digital information officer, NatWest Retail Bank | Computer Weekly

Recommended.

Brazílske ministerstvo školstva, UNESCO a Huawei spúšťajú projekty digitálnej transformácie otvorených škôl v Bahia a Pará

Brazílske ministerstvo školstva, UNESCO a Huawei spúšťajú projekty digitálnej transformácie otvorených škôl v Bahia a Pará

September 12, 2025
Nutanix Strikes Product Deals With Nvidia, Pure Storage, Cisco In Latest VMware Salvo

Nutanix Strikes Product Deals With Nvidia, Pure Storage, Cisco In Latest VMware Salvo

May 7, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio