-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2024-03-24-thru-26-IOCs-for-Fortnet-EMS-exploit-activity.txt
60 lines (44 loc) · 2.64 KB
/
2024-03-24-thru-26-IOCs-for-Fortnet-EMS-exploit-activity.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
2024-03-24 (SUNDAY) THROUGH 2024-03-26 (TUESDAY): FORTINET EXPLOITATION LEADS TO ATERA, SCREENCONNECT AND METERPRETER
REFERENCES:
- https://www.linkedin.com/posts/unit42_atera-screenconnect-meterpreter-activity-7179196571689922560-tgvm
- https://twitter.com/Unit42_Intel/status/1773430931044368681
NOTES:
- Unit 42 Managed Services spotted active exploitations of the new FortiClient EMS vulnerability, CVE-2023-48788.
- This activity led to unauthorized installations of Atera Agent, ScreenConnect Client and Meterpreter.
- Details follow.
---------------------------------------------------------
2024-03-24 (SUNDAY) FORTINET EXPLOITATION LEADS TO ATERA:
---------------------------------------------------------
ASSOCIATED FILE:
- SHA256 hash: bd6bb6687318160d203eeb3e656f936b502557202c2054310768c560ba7e7822
- File size: 2,994,176 bytes
- File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, ...
- File Description: Customized MSI installer for Atera Agent
- Location: hxxp[:]//055[.]14942165:20201/setup.msi <-- translates to: hxxp[:]//45.227.255[.]213:20201/setup.msi
- Location: hxxp[:]//68[.]178.202.116:29742/qpPE2ARqGy/setup.msi
ADDITIONAL DOMAIN ASSOCIATED WITH THIS ACTIVITY:
- jxqmwbgxygkyftpxykdk8cfkq1hy371pz.oast[.]fun
-----------------------------------------------------------------
2024-03-25 (MONDAY) FORTINET EXPLOITATION LEADS TO SCREENCONNECT:
-----------------------------------------------------------------
ASSOCIATED FILE:
- SHA256 hash: 8ef318fa5dba85344f79f7e4a7b022d09d99bbd36d5e8aa5353018c867e85b2c
- File size: 9,342,976 bytes
- File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, ...
- File Description: Customized MSI installer for ScreenConnect Client
- File location: hxxps[:]//ursketz[.]com/bin/voltaire.msi
TRAFFIC SEEN AFTER RUNNING THE MSI INSTALLER:
- 45[.]77.160.195 port 443 - encrypted/encoded TCP traffic
----------------------------------------------------------------
2024-03-26 (TUESDAY) FORTINET EXPLOITATION LEADS TO METERPRETER:
----------------------------------------------------------------
ASSOCIATED FILE:
- SHA256 hash: 6558bbd0e08a187d17d7c2e1ba2a31080a86961a5a0c5c60babacf40f1dedade
- File size: 113,152 bytes
- File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- File Description: 64-bit DLL for Meterpreter
- File location: hxxps[:]//ursketz[.]com/bin/1.css
- File location: C:\Windows\Temp\2fd.dll
- Run method: rundll32 [filename],nja8djvbng
TRAFFIC SEEN AFTER RUNNING THE METERPRETER DLL:
- 216.245.184[.]86 port 443 - unknown traffic (currently attempted TCP connections with no response from server).