Date: December 26, 2024
Author: Impress IT Solutions

Critical Fortinet EMS Vulnerability

A recently patched critical security flaw in Fortinet FortiClient EMS has been exploited by malicious actors in a cyber campaign involving the installation of remote desktop software such as AnyDesk and ScreenConnect. Impress IT Solutions, a leading IT provider in Houston, is here to help businesses safeguard against such vulnerabilities and ensure robust cybersecurity measures.

The vulnerability, identified as CVE-2023-48788 (CVSS score: 9.3), is an SQL injection bug that enables attackers to execute unauthorized code or commands by sending specially crafted data packets. This flaw underscores the critical importance of regular system updates and proactive vulnerability management.

What Happened?

According to cybersecurity reports, an attack in October 2024 targeted a Windows server exposed to the internet with open ports associated with FortiClient EMS. This technology is often used to enable employees to download specific policies to their corporate devices, providing secure access to the Fortinet VPN.

Once the attackers exploited CVE-2023-48788, they deployed ScreenConnect to gain remote access to the compromised system. Following this, additional payloads were uploaded to facilitate discovery and lateral movement activities. These activities included:

  • Enumerating network resources.
  • Attempting to obtain credentials.
  • Performing defense evasion techniques.
  • Establishing persistence using AnyDesk.

Tools Used in the Attack

Some of the tools deployed during the attack included:

  • webbrowserpassview.exe: A password recovery tool for browsers like Internet Explorer, Firefox, Chrome, Safari, and Opera.
  • Mimikatz: A well-known credential harvesting tool.
  • netpass64.exe: A network password recovery tool.
  • netscan.exe: A network scanner.

Geographic Spread of Attacks

The campaign has targeted organizations across the globe, including Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the UAE. The attackers leveraged different ScreenConnect subdomains to conduct their operations.

Lessons Learned and Action Steps

Impress IT Solutions emphasizes the importance of proactive cybersecurity measures to defend against such sophisticated attacks. Here are key takeaways and steps for Houston businesses:

  1. Patch Management: Ensure all software, especially critical systems like FortiClient EMS, is updated with the latest security patches.
  2. Network Monitoring: Continuously monitor network traffic for suspicious activities, such as unauthorized remote access attempts.
  3. Endpoint Security: Implement robust endpoint security solutions to prevent unauthorized access and detect malicious payloads.
  4. Employee Training: Educate staff about cybersecurity best practices, including recognizing phishing attempts and reporting anomalies.
  5. Incident Response Plan: Develop and regularly update an incident response plan to quickly mitigate the impact of a cyber attack.

How Impress IT Solutions Can Help

At Impress IT Solutions, we specialize in providing comprehensive IT support and cybersecurity solutions tailored to businesses in Houston. Our services include:

  • Vulnerability assessments and patch management.
  • 24/7 network monitoring and threat detection.
  • Endpoint protection and advanced threat response.
  • Employee cybersecurity training programs.
  • Customized incident response planning.

Stay Ahead of Cyber Threats

The exploitation of CVE-2023-48788 highlights the evolving tactics of cybercriminals. With Impress IT Solutions as your trusted IT partner, you can focus on growing your business while we handle your cybersecurity needs. Contact us today to learn how we can protect your organization from emerging threats.

 

FREE EXECUTIVE REPORT

Cyber Incident Prevention Best Practices For
Your Small Business