Threat Research

Exploring FortiManager Zero-Day Vulnerability (CVE-2024-47575)

GoogleCloudIntel

In October 2024, Mandiant and Fortinet investigated mass exploitation of FortiManager appliances due to CVE-2024-47575, which allowed unauthorized command execution. The UNC5820 threat group exfiltrated FortiGate configuration data (including hashed passwords) with no confirmed lateral movement at publication. #UNC5820 #CVE-2024-47575 #FortiManager #FortiGate #Fortinet

Keypoints

  • Mandiant and Fortinet investigated widespread exploitation of FortiManager devices.
  • The vulnerability CVE-2024-47575 enables unauthorized command execution on FortiManager appliances.
  • The UNC5820 threat group began exploiting the vulnerability as early as June 27, 2024.
  • Configuration data from FortiGate devices managed by FortiManager was exfiltrated, including FortiOS256 password hashes.
  • There is no evidence of lateral movement or further compromise at the time of the report.
  • Recommendations include limiting FortiManager access and conducting forensic investigations if FortiManager is internet-exposed.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Used to exploit the FortiManager vulnerability to execute arbitrary commands on vulnerable devices. ‘The vulnerability, CVE-2024-47575, allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.’
  • [T1041] Exfiltration Over Command and Control Channel – FortiGate configuration data exfiltrated via outbound traffic. ‘staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager.’
  • [T1136] Create Account – Unauthorized Fortinet device appeared in FortiManager console, indicating persistence through new device entries. ‘their unknown Fortinet device appeared in the FortiManager console.’
  • [T1078] Valid Accounts – Initial Access concept mapped to Valid Accounts. ‘Initial Access (T1078) – Valid Accounts’
  • [T1068] Exploitation of Vulnerability – Direct exploitation of the FortiManager vulnerability to gain unauthorized access. ‘Privilege Escalation (T1068) – Exploitation of Vulnerability’

Indicators of Compromise

  • [IP Address] Inbound/outbound indicators – 45.32.41.202, 104.238.141.143, and 2 more addresses
  • [File] Archive/file containing config data – /tmp/.tm
  • [File] Unregistered device list – /fds/data/unreg_devices.txt
  • [Hash] MD5 of unreg_devices.txt – 9DCFAB171580B52DEAE8703157012674
  • [Device] Unauthorized FortiManager device ID – FMG-VMTM23017412
  • [Email] Disposable/actor-associated email – [email protected]
  • [Organization] Company name found in data – Purity Supreme
  • [Log/Message] Exploitation indicators in logs – ‘Unregistered device localhost add succeeded’; ‘Edited device settings (SN FMG-VMTM23017412)’

Read more: https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/