Mandiant says new Fortinet flaw has been exploited since June

by

Mandiant says new Fortinet flaw has been exploited since June

October 24, 2024 at 10:04AM

A vulnerability in Fortinet’s FortiManager, tracked as CVE-2024-47575, has been exploited since June 2024, allowing unauthorized access to servers. Mandiant identified the threat actor UNC5820, who stole sensitive configuration data. Fortinet has released patches and mitigation strategies to protect against further exploitation.

### Meeting Takeaways on Fortinet FortiManager Vulnerability (CVE-2024-47575)

1. **Vulnerability Details**:
– **Name**: FortiJump (CVE-2024-47575)
– **Exploitation**: Active since June 2024; over 50 servers targeted in zero-day attacks.

2. **Nature of the Flaw**:
– **Type**: Missing authentication flaw in the FortiGate to FortiManager Protocol (FGFM) API.
– **Impact**: Allowed unauthenticated attackers to execute commands on FortiManager servers and managed FortiGate devices.

3. **Exploitation Method**:
– Attackers controlled FortiManager and FortiGate devices, registering them to exposed FortiManager servers despite being unauthorized.
– Exploited devices could execute API commands and exfiltrate configuration data, including users’ hashed passwords.

4. **Attacker Identification**:
– Threat actor tracked as **UNC5820**, successfully exploited FortiManager devices since **June 27, 2024**.
– Initial observed attack originated from IP **45.32.41[.]202**.

5. **Data Compromised**:
– Attacked FortiManager led to the exfiltration of configuration data and user information.
– Specific files created during the attack included sensitive data about managed devices and the attacker-controlled FortiManager.

6. **Fortinet’s Response**:
– Fortinet has released patches and mitigation strategies, including IP whitelisting and command settings to prevent unauthorized device registrations.

7. **Current Analysis**:
– Mandiant has found no signs of malicious payloads or lateral movement post-exfiltration.
– The potential value of stolen data appears reduced due to timely notifications sent to impacted customers.
– Further investigation is ongoing to establish threat actor motivation and location.

8. **Additional Information**:
– Fortinet’s advisory (FG-IR-24-423) includes recovery methods, IOCs, and log entries for detecting compromised servers.

**Next Steps**:
– Ensure all affected systems are updated with the latest patches.
– Implement recommended mitigation strategies.
– Monitor for any further developments and updates from Mandiant and Fortinet.

Full Article