How Attackers Exploit Patched Vulnerability in FortiClient EMS

    Wednesday, January 1, 2025 In: Threat Research Print

    Date: 1/1/2025

    Severity: High 

    Summary

    Our team recently uncovered attacker tactics linked to a vulnerability in Fortinet products, which has already been patched. The flaw involves improper filtering of SQL command input, enabling SQL injection. CVE-2023-48788 impacts FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. Successful exploitation allows attackers to execute arbitrary code or commands via crafted data packets.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    infinity.screenconnect.com

    kle.screenconnect.com

    trembly.screenconnect.com

    corsmich.screenconnect.com

    https://sipaco2.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://trembly.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://corsmich.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://myleka.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://petit.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://lindeman.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://sorina.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://kle.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://solarnyx2410150445.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://allwebemails1.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    https://web-r6hl0n.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest

    http://185.196.9.31:8080/bd7OZy3uMQL-YabI8FHeRw

    http://148.251.53.222:14443/SETUP.MSI

    https://webhook.site/7ece827e-d440-46fd-9b22-cc9a01db03c8

    https://webhook.site/d0f4440c-927c-460a-a543-50d4fc87c8a4

    http://185.216.70.170/OO.BAT

    http://185.216.70.170/HELLO

    http://185.216.70.170/A

    http://185.216.70.170

    http://185.216.70.170/oo.bat

    http://185.216.70.170/hello

    http://185.216.70.170/sos.txt

    http://185.216.70.170/72.bat

    http://206.206.77.33:8080/xeY_J7tYzjajqYj4MbtB0wqvmlaztyjogwgkikmknv2ch3t5yhb6vw4.oast.fun

    http://5.61.59.201:8080/FlNOfGPkOL4qc_gYuWeEYQ%TEMP%\gfLQPbNLYYYh.exe

    http://5.61.59.201:8080/7k9XBvjahnQK09abSc8SpA%TEMP%\FaLNkAQGOe.exe

    http://5.61.59.201:8080/7k9XBvjahnQK09abSc8SpA%TEMP%\QgCNsJRB.exe

    https://www.lidahtoto2.com/assets/im.ps1

    http://87.120.125.55:8080/BW_qY1OFZRv7iNiY_nOTFQ%TEMP%\EdgouRkWzLsK.exe

    IP Address :

    45.141.84.45

    185.216.70.170:1337

    Hash : 

    8cfd968741a7c8ec2dcbe0f5333674025e6be1dc

441a52f0112da187244eeec5b24a79f40cc17d47

746710470586076bb0757e0b3875de9c90202be2

bc29888042d03fe0ffb57fc116585e992a4fdb9b

73f8e5c17b49b9f2703fed59cc2be77239e904f7

841fff3a36d82c14b044da26967eb2a8f61175a8

34162aaf41c08f0de2f888728b7f4dc2a43b50ec

cf1ca6c7f818e72454c923fea7824a8f6930cb08

e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69

59e1322440b4601d614277fe9092902b6ca471c2

75ebd5bab5e2707d4533579a34d983b65af5ec7f

83cff3719c7799a3e27a567042e861106f33bb19

44b83dd83d189f19e54700a288035be8aa7c8672

8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls 1 :

    userdomainname like "https://www.lidahtoto2.com/assets/im.ps1" or url like "https://www.lidahtoto2.com/assets/im.ps1" or userdomainname like "https://allwebemails1.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://allwebemails1.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "https://petit.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://petit.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "https://webhook.site/d0f4440c-927c-460a-a543-50d4fc87c8a4" or url like "https://webhook.site/d0f4440c-927c-460a-a543-50d4fc87c8a4" or userdomainname like "http://185.216.70.170/hello" or url like "http://185.216.70.170/hello" or userdomainname like "http://185.216.70.170/OO.BAT" or url like "http://185.216.70.170/OO.BAT" or userdomainname like "http://185.216.70.170/A" or url like "http://185.216.70.170/A" or userdomainname like "https://web-r6hl0n.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://web-r6hl0n.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "http://185.216.70.170/72.bat" or url like "http://185.216.70.170/72.bat" or userdomainname like "http://185.196.9.31:8080/bd7OZy3uMQL-YabI8FHeRw" or url like "http://185.196.9.31:8080/bd7OZy3uMQL-YabI8FHeRw" or userdomainname like "https://sipaco2.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://sipaco2.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "http://185.216.70.170/HELLO" or url like "http://185.216.70.170/HELLO" or userdomainname like "https://lindeman.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://lindeman.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "https://sorina.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://sorina.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "http://185.216.70.170/sos.txt" or url like "http://185.216.70.170/sos.txt" or userdomainname like "https://kle.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://kle.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest"

    Domains\Urls 2 :

    userdomainname like "infinity.screenconnect.com" or url like "infinity.screenconnect.com" or userdomainname like "kle.screenconnect.com" or url like "kle.screenconnect.com" or userdomainname like "trembly.screenconnect.com" or url like "trembly.screenconnect.com" or userdomainname like "corsmich.screenconnect.com" or url like "corsmich.screenconnect.com" or userdomainname like "https://trembly.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like  "https://trembly.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "https://corsmich.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://corsmich.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "https://myleka.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://myleka.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "https://solarnyx2410150445.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or url like "https://solarnyx2410150445.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest" or userdomainname like "http://148.251.53.222:14443/SETUP.MSI" or url like "http://148.251.53.222:14443/SETUP.MSI" or userdomainname like "https://webhook.site/7ece827e-d440-46fd-9b22-cc9a01db03c8" or url like "https://webhook.site/7ece827e-d440-46fd-9b22-cc9a01db03c8" or userdomainname like "http://185.216.70.170" or url like "http://185.216.70.170" or userdomainname like "http://206.206.77.33:8080/xeY_J7tYzjajqYj4MbtB0wqvmlaztyjogwgkikmknv2ch3t5yhb6vw4.oast.fun" or url like "http://206.206.77.33:8080/xeY_J7tYzjajqYj4MbtB0wqvmlaztyjogwgkikmknv2ch3t5yhb6vw4.oast.fun" or userdomainname like "http://5.61.59.201:8080/FlNOfGPkOL4qc_gYuWeEYQ" or url like "http://5.61.59.201:8080/FlNOfGPkOL4qc_gYuWeEYQ" or userdomainname like "http://5.61.59.201:8080/FlNOfGPkOL4qc_gYuWeEYQ%TEMP%\gfLQPbNLYYYh.exe" or url like "http://5.61.59.201:8080/FlNOfGPkOL4qc_gYuWeEYQ%TEMP%\gfLQPbNLYYYh.exe" or userdomainname like "http://5.61.59.201:8080/7k9XBvjahnQK09abSc8SpA%TEMP%\FaLNkAQGOe.exe" or url like "http://5.61.59.201:8080/7k9XBvjahnQK09abSc8SpA%TEMP%\FaLNkAQGOe.exe" or userdomainname like "http://5.61.59.201:8080/7k9XBvjahnQK09abSc8SpA%TEMP%\QgCNsJRB.exe" or url like "http://5.61.59.201:8080/7k9XBvjahnQK09abSc8SpA%TEMP%\QgCNsJRB.exe" or userdomainname like "http://87.120.125.55:8080/BW_qY1OFZRv7iNiY_nOTFQ%TEMP%\EdgouRkWzLsK.exe" or url like "http://87.120.125.55:8080/BW_qY1OFZRv7iNiY_nOTFQ%TEMP%\EdgouRkWzLsK.exe"

    IP Address  : 

    dstipaddress IN ("45.141.84.45","185.216.70.170") or ipaddress IN ("45.141.84.45","185.216.70.170") or publicipaddress IN ("45.141.84.45","185.216.70.170") or srcipaddress IN ("45.141.84.45","185.216.70.170")

    Hash : 

    sha1hash IN ("73f8e5c17b49b9f2703fed59cc2be77239e904f7","8834f7ab3d4aa5fb14d851c7790e1a6812ea4ca8","e3b6ea8c46fa831cec6f235a5cf48b38a4ae8d69","cf1ca6c7f818e72454c923fea7824a8f6930cb08","bc29888042d03fe0ffb57fc116585e992a4fdb9b","8cfd968741a7c8ec2dcbe0f5333674025e6be1dc","75ebd5bab5e2707d4533579a34d983b65af5ec7f","746710470586076bb0757e0b3875de9c90202be2","441a52f0112da187244eeec5b24a79f40cc17d47","841fff3a36d82c14b044da26967eb2a8f61175a8","34162aaf41c08f0de2f888728b7f4dc2a43b50ec","59e1322440b4601d614277fe9092902b6ca471c2","83cff3719c7799a3e27a567042e861106f33bb19","44b83dd83d189f19e54700a288035be8aa7c8672")

    Reference:   

    https://securelist.ru/patched-forticlient-ems-vulnerability-exploited-in-the-wild/111437/ 


    Tags

    MalwareCVE-2023ExploitFortinet

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.