Organizations in Brazil, Peru, France, Spain, Switzerland, Croatia, Namibia, India, Turkey, Mongolia, Indonesia, and the United Arab Emirates have been targeted in attacks targeting Fortinet FortiClient EMS instances affected by the critical SQL injection vulnerability, tracked as CVE-2023-48788, to facilitate remote desktop software injections, according to The Hacker News.
Threat actors leveraged the flaw to compromise an unnamed organization's internet-exposed Windows system with a ScreenConnect executable that enabled the remote deployment of the webbrowserpassview.exe and netpass64.exe password recovery tools, Mimikatz executable, netscann.exe network scanner, and AnyDesk for credential theft, network enumeration, and remote control, an analysis from Kaspersky revealed. Other intrusions involving the flaw sought to execute a PowerShell script that allowed data gathering from at-risk targets. "The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity," said researchers.
