Fortinet has confirmed that the recent critical zero-day vulnerability affecting its FortiManager network management solution is being exploited in the wild.
Fortinet has detailed about CVE-2024-47575, which allows threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices.
Mandiant in a newly published report said it is collaborating with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries.
Mandiant observed a new threat cluster tracked as UNC5820 exploiting the FortiManager vulnerability. The attack began on June 27, 2024, and continued through September 22, 2024, with further data exfiltration and potential persistence attempts
UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords.
Threat actors exploited vulnerable FortiManager devices by connecting to IP address 45.32.41.202 on port 541. They staged configuration files containing critical data about managed devices in a compressed archive named /tmp/.tm.
Once the outbound network traffic was established, with varying destination IP addresses across incidents. In one case, the threat actor’s device was registered with the compromised FortiManager to remain persistent.
But Mandiant said it lacks sufficient data to confirm whether UNC5820 is a state-sponsored threat actor or where it is based. Organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately.
This week, following the evidence of exploitation, this vulnerability has been added to the KEV Catalog.
As per the latest statement from Fortinet, We also have published a corresponding public advisory (FG-IR-24-423) reiterating mitigation guidance, including a workaround and patch updates. We urge customers to follow the guidance provided to implement the workarounds and fixes and to continue tracking our advisory page for updates.
Indicators of Compromise
- 104.238.141.143
- 195.85.114.78
- 158.247.199.37
- 45.32.41.202
- 9DCFAB171580B52DEAE8703157012674
