Exploitation via Trusted Infrastructure
Attackers have been observed exploiting a vulnerability in FortiClient Endpoint Management Server (EMS) to gain unauthorized administrative access. The flaw, which involves improper access control, allows unauthenticated attackers to bypass API authentication and send privileged requests to affected servers. Once inside, they modify the Remote Access Profile and endpoint policies to inject malicious scripts across all managed devices.
FortiClient EMS supports legitimate script execution triggered by VPN tunnel connections. The attackers weaponized this feature by placing script files in the standard VPN logging directory. When an endpoint connects via IPsec tunnel, these scripts execute automatically, decoding and running a PowerShell payload that downloads additional malware.
Impact and Scope
The downloaded payload, named EKZ Infostealer by researchers, is a credential harvesting tool targeting major web browsers. It extracts saved passwords and credentials from Chromium based browsers like Chrome and Edge, as well as Gecko based browsers including Firefox and Thunderbird. The malware copies itself into the browser’s application directory to bypass security validation.
Initial exploitation activity was linked to login attempts from Tor exit node IP addresses, occurring within hours of the vulnerability being exploited. The attack chain shows how administrative features can be turned against organizations, turning trusted infrastructure into a distribution mechanism for malware.
Source: Cyber Security News
