Network Firewalls, Network Access Control , Security Operations
Hackers Probing Newly Disclosed Fortinet Zero-Day
Mandiant Says High-Severity Flaw Could Give Attackers Remote Unauthenticated AccessResearchers at Mandiant say a new threat cluster, first observed June 27, has been exploiting a Fortinet zero-day that the network edge device manufacturer publicly disclosed Wednesday. Researchers said they can't assess the threat actor's motivation or location.
See Also: Webinar | Minimizing the Attack Surface Through Zero Trust Network Access
So far it appears the threat actor - assigned a tracking designation of UNC5820 - has not used stolen Fortinet device configuration data to move deeper into targets' networks, the Google-owned threat intel company said Wednesday. Researchers said they lack the data to assess the threat actor's motivation or location.
Fortinet said an actively exploited flaw tracked as CVE-2024-47575 in its FortiManager centralized management platform allows remote unauthenticated hackers to execute arbitrary code or commands. On-premises and cloud instances are affected. The company said Wednesday it has not received reports of hackers exploiting the flaw to install malware or backdoors. "To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices," a spokesperson said.
Cybersecurity researcher Kevin Beaumont, who raised the prospect of a new Fortinet zero-day on Oct. 13 - and who has repeatedly criticized Fortinet for lack of transparency - spotted the vulnerability "FortiJump" (see: Fortinet Discloses Actively Exploited Zero-Day).
The flaw, also known as FG-IR-24-423, is a critical remote unauthenticated vulnerability with a CVSS score of 9.8. It takes advantage of a setting allowing any known or unknown device to connect to FortiManager.
Mandiant said the campaign began with the attackers sending from the IP address 45.32.41.202
. "At approximately the same time, the file system recorded the staging of various Fortinet configuration files in a Gzip-compressed archive named /tmp/.tm." The archive contained files including a folder of configuration files for FortiGate devices.
Google Mandiant detected a second set of similar activities in September, although it did not detect any subsequent malicious activities on the compromised devices.
"At this stage of our investigations, there is no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment," Mandiant said.
Mandiant alerted Fortinet about the incidents, which released remediation steps on Wednesday. "Fortinet promptly communicated critical information and resources to customers," a company spokesperson said. "We continue to coordinate with the appropriate international government agencies and industry threat organizations as part of our ongoing response."
National cybersecurity agencies across the globe urged companies to protect themselves, including the Australian Cyber Security Center and the U.K. National Cyber Security Center. The U.K. NCSC asked organizations to report back if they suspect hackers exploiting the flaw.
The U.S. Cybersecurity and Infrastructure Agency added the flaw to its catalog of known exploited vulnerabilities on Wednesday and urged federal agencies to patch it within three weeks.
Stephan Berger, head of investigations at Swiss security firm InfoGuard on Thursday tweeted the company detected same TTPs outlined by Google Mandiant.