Threat actors have been discovered exploiting a Fortinet Forticlient EMS vulnerability (CVE-2023-48788) to install unauthorized Remote Monitoring and Management (RMM) tools and PowerShell backdoors on targeted systems.
This article will explain the vulnerability, offer suggestions for mitigation, and provide recommendations for enhancing cybersecurity practices.
Understanding the Threat
In March 2024, Fortinet addressed CVE-2023-48788, a critical vulnerability (9.8 severity) affecting Forticlient EMS versions 7.2.0 through 7.2.2 and 7.0.1 through 7.0.10. Attackers exploiting this vulnerability can execute commands with SYSTEM privileges using specially crafted messages via SQL injection attacks on Forticlient EMS applications. Once connected, attackers use PowerShell Invoke-WebRequest cmdlets to download Windows installer files containing Remote Monitoring and Management tools, followed by launching these tools using msiexec.exe processes.
Mitigation Steps
To prevent falling victim to this vulnerability, follow these steps:
- Upgrade: Upgrade your Forticlient EMS application to the latest version available.
- Monitor Connections: Look for connections from unknown external IP addresses to the FCMdaemon process on your EMS clients.
- Monitor Processes: Watch for PowerShell processes that spawn cmd.exe with sqlserver.exe as a parent process.
- Check Patterns: Keep an eye out for patterns using Invoke-WebRequest to download MSI files from external network addresses.
- Implement Allowlist/Blocklist: Utilize allowlists or blocklists to control authorized RMM tools installation in your environment.
Additional Cybersecurity Best Practices
While addressing the Fortinet vulnerability is essential, implementing broader cybersecurity measures is equally crucial. Consider the following recommendations:
- Patch Management: Regularly update software applications, systems, and devices to ensure they run the latest security patches and bug fixes.
- Employee Training: Educate employees about recognizing phishing attempts, strong password creation, and safe browsing habits.
- Multi-Factor Authentication: Enforce multi-factor authentication wherever feasible to add an extra layer of protection against unauthorized access.
- Incident Response Plan: Develop a comprehensive incident response plan detailing steps to take in case of a cybersecurity event.
- Regular Auditing: Perform regular audits to identify vulnerabilities and weaknesses in your IT infrastructure.
Threat actors constantly search for new ways to exploit vulnerabilities, putting businesses worldwide at risk. Addressing the Fortinet vulnerability is vital, but a comprehensive cybersecurity strategy requires ongoing vigilance and proactive measures. Implement best practices like patch management, employee training, multi-factor authentication, incident response planning, and regular audits to safeguard your organization against evolving threats.
