FortiClientEMS Vulnerability, Akira Ransomware, and Gootloader: The Blackpoint SOC’s Week in Review for March 29, 2024

The Blackpoint SOC’s Week in Review for March 29, 2024

Between March 20-27, 2024, Blackpoint’s Security Operations Center (SOC) responded to 173 total incidents. These incidents included 18 on-premises MDR incidents, three (3) Cloud Response for Google Workspace, and 152 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents – including why they’re important for defenders to account for now, as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

FortiClientEMS CVE 2023-48788 Incident with Healthcare Partner on March 23, 2024

Topline Takeaways

  • Date of incident: March 23, 2024
  • Industry target: Healthcare
  • Relevant attacker information:
    • FortiClientEMS
    • CVE-2023-48788 (CVE Score 9.8)
    • Finger[.]exe
  • Blackpoint SOC actions:
    • Proactively disabled highly targeted programs, systems, and endpoint(s)
    • Contacted client about the incident, and provided additional remediation.
  • Why this incident matters to you:
    • The Adversary Pursuit Group (APG) predicts that it is likely (55-80%) that threat actors will continue to use FortiClientEMS and other parts of the Fortinet ecosystem to exploit other healthcare organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Patch immediately!
    • Regularly audit both environment and endpoints
    • Multifactor authentication (MFA)
    • Heuristics-based network activity monitoring

FortiClientEMS CVE-2023-48788 Incident Timeline for March 23, 2024

5:37 p.m. EST: Blackpoint’s MDR alerted to malicious activity.

  • 5:45 p.m. EST: An MDR analyst began investigating.
  • 5:48 p.m. EST: They isolated the infected endpoint from all external and internal communications.
  • 5:52 p.m. EST: The MDR analyst spoke to the healthcare partner about the incident and provided additional remediation steps.

What happened?

Last Saturday, the Blackpoint SOC alerted to the usage of “finger[.]exe” on a server of a Healthcare partner.

Further analysis identified that the threat actor likely breached the server via CVE-2023-48788, a SQL injection vulnerability affecting Fortinet’s FortiClient Endpoint Management Server (EMS).

The threat actor then attempted to connect to their command and control (C2) server in Africa – likely to download additional tools and malware payloads.

A Blackpoint SOC analyst isolated the device – cutting off the attacker’s attempted C2 communication and prevent lateral spread within the healthcare partner’s network – before reaching out to the partner regarding the security incident.

 

What is FortiClientEMS?

Fortinet’s FortiClientEMS product is an endpoint management system that can be used as a virtual private network (VPN) or an antivirus (AV) service.

FortiClient consists of:

  • The main service component, responsible for communicating with enrolled clients,
  • The data access server, responsible for translating requests from various other server components, and
  • The endpoint clients.

How often will FortiClientEMS Vulnerability CVE-2023-48788 be used by threat actors in 2024?

The APG predicts that threat actors will continue to use FortiClientEMS Vulnerability CVE-2023-48788 over the next 12 months, as well as other Fortinet product vulnerabilities.

We base this assessment on the overall Fortinet product portfolio’s capabilities and popularity, which make the entire stack an attractive target for threat actors. The Fortinet platform:

  • Features functionality critical to infrastructure admins and end users, making its adoption widespread by potential victim organizations,
  • Accesses wide areas of the network, with operations running undetected by the average end user, and
  • Offers attackers a single point of failure from which to proliferate throughout the target ecosystem for economies of scale.

By compromising Fortinet products, threat actors are able to potentially:

  • Steal sensitive and private information,
  • Deploy malware (backdoors, ransomware, wipers, etc.), and
  • Discover other exploitable assets connected throughout the target network for lateral movement and persistence.

Therefore, it was no surprise when – in March 2024 – CISA added FortiClientEMS’s CVE-2023-48788 to the Known Exploited Vulnerabilities Catalog (1), due to reports of active exploitation.

Additionally, the public release of Proof-of-Concept (PoC) exploits of vulnerabilities, such as Horizon3 research team’s open PoC for CVE-2023-48788 (2), enable lower-skill level threat actors to exploit vulnerabilities to gain initial access.

 

Recommended Mitigations and Remediations for FortiClientEMS Vulnerability CVE-2023-48788

Thankfully, the security actions which help prevent vulnerability exploitation are similar to other mitigations.

Specifically, the APG recommends the following actions to help detect, remediate, and prevent potential malicious activity related to vulnerability exploitation:

  • Prioritize patching based on the number of systems affected, the impact of exploitation, how widely known the vulnerability is, and the ease of exploitation.
    • For example, with known threat actor activity exploiting CVE-2023-48788, the public PoC, and FortiClientEMS’s network access, CVE-2023-48788 should be prioritized for immediate patching to the latest version (3).
  • Conduct regular environment and endpoint audits to identify weak points, apply necessary patching requirements, and close potential infection paths.
  • Enable MFA for access to login portals, VPN clients and servers, and critical systems that maintain sensitive data.
  • Employ heuristics-based network activity monitoring to alert to malicious behavior, even if your systems aren’t fully patched or otherwise insulated from potential attack.

Akira Ransomware Incident with Technology Partner on March 25, 2024

Topline Takeaways

  • Date of incident: March 25, 2024
  • Industry target: Healthcare
  • Relevant attacker information:
    • Akira ransomware
    • akira[.]exe
  • Blackpoint SOC actions:
    • Deployed Ransomware Response through MDR to prevent malicious encryption
    • Isolated impacted endpoint(s)
    • Contacted client about the incident and provided additional remediation
  • Why this incident matters to you:
    • The APG predicts that it is very likely (80-95%) that threat actors will continue to use Akira and other ransomware toolsets to extort other Technology organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Least-privilege access controls
    • Heuristics-based network activity monitoring
    • Incident response plans (IRPs)

Akira Ransomware Incident Timeline for March 25, 2024

  • 7:06 a.m. EST: Blackpoint’s MDR alerted to malicious activity.
  • 7:07 a.m. EST: An MDR analyst began initial triage and investigation.
  • 7:08 a.m. EST: The analyst escalated the case when files were attempted to be encrypted.
  • 7:11 a.m. EST: A Senior MDR analyst attempted initial client communication to verify activity.
  • 7:19 a.m. EST: The analyst isolated the infected endpoints from all external and internal communications.
  • 7:25 a.m. EST & 8:11 a.m. EST: The SOC spoke to the technology partner about the incident and provided additional remediation advice.

What happened?

Last Monday, the Blackpoint SOC alerted to ransomware activity on the host of a Technology partner.

The alert detected the ransomware variant Akira, with additional remote access attempts by the compromised user account to another host on the network from the Fortinet gateway for lateral movement.

The SOC team isolated all impacted online hosts with Blackpoint’s SNAP agent to prevent additional lateral movement and/or encryption.

What is Akira ransomware?

First observed in 2023, Akira ransomware operates using a double extortion method, in which a victim’s:

  1. Endpoints are locked and data encrypted within the network, with a demand for a ransom in exchange for a key to unlock the hostage data, and
  2. Data is also exfiltrated altogether, with threats of leaking the stolen information via dark web sites if the ransom is not paid.

Security researchers linked Akira to the Conti operation through tactics, techniques, and procedures (TTPs) (4), as well as blockchain analysis (5), with Akira ransom payments sent to Conti-affiliated wallets.

Akira operators gain initial access by using unauthorized logon to VPNs by targeting accounts that did not have MFA enabled.

 

How often will Akira ransomware be used by threat actors in 2024?

The APG predicts that threat actors will very likely continue to use Akira over the next 12 months against organizations in all industry verticals, including technology.

We base this assessment on current attack trends, updated exploit packages, and new TTPs from Akira ransomware operators.

Per APG research and analysis, Akira ransomware targeted 172 victims across multiple verticals and geographies from January 1 to 31 December 31, 2023, with an additional 53 victims from January 1 to March 27, 2024.

While Akira is not the most active ransomware variant in use by threat actors, the group’s potential ties to the former Conti group indicate that the members are likely experienced and are capable of growing their operation to one of the most active.

 

Recommended Mitigations and Remediations for Akira Ransomware

Blackpoint APG recommends the following actions to help mitigate ransomware.

  • Implement least-privilege access controls. These technical and administrative controls can help ensure that users only have access to the data and resources required to complete their job functions. If an attacker compromises that user’s account, they will be extremely limited in what they can accomplish from that single profile or endpoint – greatly limiting the potential for a material impact from an attempted ransom.
  • Monitor system activity for malicious behavior, to detect unusual access patterns from otherwise authorized users or processes that could indicate a potential compromise by a threat actor.
  • Create, maintain, and implement an incident response plan (IRP) that includes the processes for data backup, restoration, notification processes (including partners, team members, and law enforcement), and ensuring business continuity.

Gootloader Incident with Academics Partner on March 25, 2024

Topline Takeaways

  • Date of incident: March 25, 2024
  • Industry target: Academics
  • Relevant attacker information:
    • Gootloader
    • agent[.]js
    • Scheduled task “Firefox Default Browser Agent”
    • Malicious attachment “chase_statement_Jan_2024[.]zip”
  • Blackpoint SOC actions:
    • Isolated impacted endpoint(s)
    • Called client about the incident and provided additional remediation advice
  • Why this incident matters to you:
    • The APG predicts that it is likely (55-80%) that threat actors will continue to use Gootloader and loader malware to infect other academic organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Improve endpoint, asset, and network visibility
    • Use a content proxy
    • Heuristics-based network activity monitoring
    • Scripting language controls

Gootloader Ransomware Incident Timeline for March 25, 2024

  • 3:16 p.m. EST: Blackpoint’s MDR alerted to malicious activity.
  • 4:29 p.m. EST: An MDR analyst began initial triage.
  • 4:35 p.m. EST: They isolated the infected endpoints from all external and internal communications.
  • 4:36 p.m. EST: They spoke to the academic partner about incident and provided additional remediation advice.

What happened?

Last Monday, the Blackpoint SOC was alerted to the Gootloader family of malware infection on an academic partner’s host.

SOC analysts observed a scheduled task titled “Firefox Default Browser Agent” executing on the host, with a JScript file “agent[.]js”.

This JScript file then attempted to use PowerShell to connect to an external malicious domain for command and control (C2).

Blackpoint SOC isolated the host to prevent additional compromise, and reached out to the client about the incident and additional steps that should be taken.

 

What is Gootloader?

Active since 2020, Gootloader is a first-stage downloader designed to attack Windows-based operating systems.

Gootloader malware is offered by criminals on the dark web as an Initial-Access-as-a-Service (IAaaS) tool.

While Gootloader’s first observed second-stage payload was GootKit, a 2014 banking trojan and stealer – hence, the name “Gootloader” – it is often used to deploy other second stage payloads, including:

  • Ransomware, such as REvil and Rhysida,
  • Stealer malware, and
  • Cobalt Strike beacons.

In addition to deploying a second-stage payload, Gootloader can establish a threat actor’s persistence within a victim’s network using PowerShell commands to create scheduled tasks which periodically load and run the primary payload.

Gootloader has been observed gaining initial access via:

  • WordPress vulnerabilities,
  • Malicious JavaScript files which impersonate legitimate documents,
  • Social engineering attacks with malicious ZIP attachments, and
  • Search engine optimization (SEO) poisoning, luring victims to drive-by download campaigns that deliver the first stage payload.

How often will Gootloader be used by threat actors in 2024?

The APG predicts that threat actors will likely continue to use Gootloader and other malware loaders over the next 12 months against organizations in all industry verticals, including academic partners.

We base this assessment on internal Blackpoint attack trends against our partners and recent known use by active threat actors.

In November 2023, CISA released a #StopRansomware report related to the Rhysida ransomware (10), warning that the Rhysida ransomware operators had been observed using Gootloader for initial access and deploying the ransomware payload.

Additionally, in February 2024, security researchers with DarkTrace reported cyberattacks that utilized Gootloader during the attack to establish persistence and deploy second stage payloads (11).

 

Recommended Gootloader Mitigations and Remediations

The Blackpoint APG recommends the following actions to help mitigate Gootloader malware.

  • Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to malicious actions conducted by Gootloader and other malware.
  • Use a content proxy to monitor internet usage and restrict user access to suspicious or potentially risky websites.
  • Monitor system activity through heuristics-based triggers and alerts, rather than depending solely on indicators of compromise (IoCs) to detect unusual access patterns that could be indicative of malicious behavior by threat actors.
  • Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages such as JavaScript to deploy malware and conduct malicious activities.

Further Information and Resources

  1. United States Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerability List: “CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Vulnerability” on 2024-03-25
  2. Horizon3’s Attack Blogs: “CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive” by James Horseman on 2024-03-21
  3. Fortiguard Labs: “Pervasive SQL injection in DAS component” on 2024-03-12
  4. SentinelOne Blog: “From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families” by Jim Walter on 2023-08-23
  5. Arctic Wolf Labs: “Conti and Akira: Chained Together” by Steven Campbell, Akshay Suthar, Connor Belfiore, and Arctic Wolf Labs Team on 2023-07-26
  6. Trellix: “Akira Ransomware” by Max Kersten and Alexandre Mundo on 2023-11-29
  7. Avast’s Decoded Blog: “Decrypted: Akira Ransomware” by Threat Research Team on 2023-06-29
  8. CyberCX Blog: “Weaponising VMs to bypass EDR – Akira Ransomware” by Digital Forensics and Incident Response on 2023-15-09
  9. TrueSec: “Akira Ransomware and Exploitation of Cisco Anyconnect Vulnerability CVE-2020-3259” by Heresh Zaremand on 2024-01-29
  10. United States Cybersecurity and Infrastructure Security Agency (CISA)’s Cybersecurity Advisory: “#StopRansomware: Rhysida Ransomware” on 2023-11-15
  11. Darktrace’s Blog: “Gootloader Malware: Detecting and Containing Multi-Functional Threats with Darktrace” on 2024-02-15
DATE PUBLISHEDMarch 29, 2024
AUTHORBlackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!