Attackers exploiting a patched FortiClient EMS vulnerability in the wild
Introduction
During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available. This vulnerability is an improper filtering of SQL command input making the system susceptible to an SQL injection. It specifically affects Fortinet FortiClient EMS versions 7.0.1 to 7.0.10 and 7.2.0 to 7.2.2. When successfully exploited, this vulnerability allows attackers to execute unauthorized code or commands by sending specially crafted data packets. The affected system was a Windows server exposed to the internet, with only two ports open. The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN. Open ports exposed to the Internet
Identification and containment
In October 2024, telemetry alerts from our MDR technology revealed attempts by an internal IP address to access registry hives via an admin account on a customer’s Windows server. The IP address where the requests originated was part of the customer’s network but it was not covered by the MDR solution according to the customer’s assessment. These attempts also targeted administrative shares, including the following. \\192.168.X.X\C$\Users;
\\192.168.X.X\C$\;
\\192.168.X.X\IPC$\srvsvc;
\\192.168.X.X\IPC$\svcctl;
\\192.168.X.X \IPC$\winreg;
\\192.168.X.X \ADMIN$\SYSTEM32\WqgLtykM.tmp;
\\192.168.X.X \C$\Windows\System32\Microsoft\Protect\DPAPI Master Keys;
\\192.168.X.X \C$\Windows\System32\Microsoft\Protect\User Keys;
\\192.168.X.X \C$\Windows\System32\Microsoft\Protect\Protected Credentials.