Analysis Summary

Since June 2024, a new Fortinet FortiManager vulnerability known as "FortiJump" and identified as CVE-2024-47575 has been used to launch zero-day attacks on more than 50 servers, according to a recent analysis.

After Fortinet privately informed clients via an advanced notice security advisory, there have been rumors of an actively exploited FortiManager zero-day going around the internet for the past 10 days. Fortinet finally revealed the FortiManager vulnerability, saying that there was a missing authentication weakness in the "FortiGate to FortiManager Protocol" (FGFM) API that let unauthenticated attackers operate FortiGate devices and run commands on the server.

By using attacker-controlled FortiManager and FortiGate devices with legitimate certificates to register themselves to any exposed FortiManager server, threat actors could take advantage of the vulnerability. They could use the vulnerability to run API calls on the FortiManager and collect configuration information about managed devices once their device was connected, even if it was in an illegal condition.

Patches for CVE-2024-47575 have been made available by Fortinet, along with mitigations including restricting access to certain IP addresses or using the set fgfm-deny-unknown enable command to stop unknown FortiGate devices from registering. According to Mandiant, since June 27, 2024, a threat actor identified as UNC5820 has been taking advantage of FortiManager devices.

The configuration information of the FortiGate devices controlled by the compromised FortiManager was staged and exfiltrated by UNC5820. Along with the users and their FortiOS256-hashed passwords, this data includes comprehensive configuration details for the controlled equipment. UNC5820 might utilize this information to target the enterprise environment, advance laterally to the controlled Fortinet devices, and further attack the FortiManager.

When threat actors registered an unauthorized FortiManager-VM to an exposed FortiManager server, the initial attack was detected from 45.32.41[.]202. It was identified by the name "localhost" and used the serial number "FMG-VMTM23017412". Mandiant says that four files were produced as part of the attack:

• /tmp/.tm: A gzip file that includes information on the FortiManager server and its global database, as well as exfiltrated data about managed FortiGate devices.
• /fds/data/unreg_devices.txt: This file includes the IP address and serial number of the unregistered device.
• /fds/data/subs.dat.tmp: Unknown.
• /fds/data/subs.dat: The serial number, user ID, business name, and email address of the attacker-controlled device were all included in this file.

The email address in the initial attempt that was noticed was "0qsc137p@justdefinition.com," and the business was called "Purity Supreme." According to Mandiant, they checked the memory for evidence of a hacked device but were unable to detect any indications of malicious payloads or system file manipulation.

Although the attackers did steal data from devices, there is no indication that UNC5820 used this private material to compromise networks or spread laterally to the managed FortiGate devices. Since Mandiant and Fortinet informed customers of the intrusions, the attackers may no longer find the stolen data to be as useful. Hopefully, the clients changed their login information and implemented additional security measures. Mandiant has been unable to ascertain the threat actor's objective and potential location because there was no follow-up activity following the initial attacks.

Researchers therefore don't have enough information at the time of publication to evaluate actor location or motivation. Mandiant will update this blog's attribution assessment as new information emerges from our investigations. In its CVE-2024-47575 (FG-IR-24-423) advisory, Fortinet provided more details, including mitigation and recovery strategies.

Impact

• Command Execution
• Unauthorized Access
• Data Exfiltration
• Information Theft

Indicators of Compromise

IP

• 104.238.141.143
• 195.85.114.78
• 158.247.199.37
• 45.32.41.202
• 45.32.63.2

Remediation

• Refer to FortiGuard Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.