Critical Fortinet Vulnerability Exploited: Hackers Deploy Remote Control Tools and Backdoors

Security researchers at Red Canary have uncovered a worrying campaign targeting a recently patched vulnerability (CVE-2023-48788) in Fortinet’s FortiClient Enterprise Management System (EMS). This flaw, if unpatched, allows attackers to remotely execute code on vulnerable systems with full administrative rights.

At the heart of these attacks lies CVE-2023-48788, a vulnerability within the Fortinet FortiClient EMS, a security management solution pivotal in administering FortiClient VPN systems. Unauthenticated users can exploit this flaw to execute SYSTEM-level commands through specially crafted messages, enabling a wide range of malicious activities.

Red Canary’s observations have shed light on a consistent pattern of exploitation. It begins with external network connections targeting the FCMdaemon process of the FortiClient EMS application, leading to SQL injection and the execution of arbitrary commands via cmd.exe. This vulnerability opens the door for adversaries to deploy Remote Monitoring and Management (RMM) tools or PowerShell-based backdoors, commandeering the compromised systems with SYSTEM-level permissions.

Adversaries capitalize on the robust functionalities of RMM tools, such as Atera and ScreenConnect, for malicious purposes. These tools, under normal circumstances, facilitate remote operations and maintenance tasks within an organizational framework. However, in the hands of cybercriminals, they become potent instruments for remote control and execution of further malicious activities, all while maintaining an illusion of legitimacy.

In response to this threat, Fortinet has released a virtual patch to mitigate the risks associated with CVE-2023-48788. Organizations are urged to update their FortiClient EMS installations to close off this vulnerability. The recommended patch, “FG-VD-54509.0day:FortiClientEMS.DAS.SQL.Injection,” targets specific versions of FortiClient EMS identified as vulnerable.

For entities unable to immediately apply the patch or seeking additional layers of security, Red Canary suggests several detection strategies:

• Monitoring Inbound Network Connections: Keep an eye on inbound network connections to FCMdaemon.exe, especially from unknown external IP addresses.
• Identifying Suspicious PowerShell Activity: Watch for unusual PowerShell processes, particularly those spawning from cmd.exe with sqlservr.exe as a parent process.
• Detecting Abuse of PowerShell’s Invoke-WebRequest Cmdlet: Be alert to the misuse of the Invoke-WebRequest cmdlet to download .msi files from external sources.
• Regulating Unauthorized RMM Tools: Employ application controls like allowlisting and blocklisting to prevent the operation of unauthorized RMM tools within the network.