Ethical Hacking News
A new critical Fortinet flaw has been exploited since June 2024, targeting over 50 servers across various industries. Mandiant reveals that a threat actor tracked as UNC5820 has been actively exploiting this vulnerability to exfiltrate sensitive data from devices. In this article, we will delve into the details of the FortiJump vulnerability and explore the implications for organizations using Fortinet's software.
Fortinet's FortiManager software has been hit with a major vulnerability dubbed "FortiJump" discovered by Mandiant researchers. The FortiJump vulnerability allows unauthenticated attackers to execute commands on the server and manage FortiGate devices. Attackers can exploit this flaw by registering themselves to any exposed FortiManager server using attacker-controlled FortiManager and FortiGate devices with valid certificates. Once connected, attackers can execute API commands on the FortiManager and steal configuration data about managed devices. A threat actor tracked as UNC5820 has been exploiting FortiManager devices since June 27, 2024, exfiltrating sensitive data from devices. Fortinet has released patches for CVE-2024-47575 vulnerability and offered mitigations to prevent exploitation.
Fortinet, a leading provider of network security solutions, has been hit with a major setback after a new vulnerability was discovered and exploited in its FortiManager software. The flaw, dubbed "FortiJump" by researchers at Mandiant, has been actively exploited since June 2024, targeting over 50 servers across various industries.
The FortiJump vulnerability is a critical missing authentication mechanism in the Fortinet-created "FortiGate to FortiManager Protocol" (FGFM) API. This allows unauthenticated attackers to execute commands on the server and manage FortiGate devices. The attackers can exploit this flaw by using attacker-controlled FortiManager and FortiGate devices with valid certificates to register themselves to any exposed FortiManager server.
Once connected, even if the device is in an unauthorized state, the attackers can execute API commands on the FortiManager and steal configuration data about managed devices. This stolen data contains detailed configuration information of the managed appliances as well as user and FortiOS256-hashed passwords.
Mandiant, a cybersecurity firm that tracks vulnerabilities and threat actors, has been monitoring the situation closely. In their latest report, they revealed that a threat actor tracked as UNC5820 has been exploiting FortiManager devices since June 27, 2024. The first observed attack was seen coming from IP address 45.32.41[.]202, when the threat actors registered an unauthorized FortiManager-VM to an exposed FortiManager server.
The attacker-controlled FortiManager-VM used a serial number of "FMG-VMTM23017412" and created four files: /tmp/.tm - A gzip archive containing exfiltrated information about managed FortiGate devices, information about the FortiManager server, and its global database. The other three files contained unknown data.
Mandiant analyzed the memory for a compromised device but found no signs of malicious payloads or tampering with system files. However, they did find that the attackers had exfiltrated sensitive data from devices, which may not be as valuable to the attackers now that Mandiant and Fortinet have notified customers of the attacks.
Fortinet has released patches for the CVE-2024-47575 vulnerability and offered mitigations such as only allowing specific IP addresses to connect or preventing unknown FortiGate devices from registering using the set fgfm-deny-unknown enable command. The company has also shared additional information in its CVE-2024-47575 (FG-IR-24-423) advisory, including mitigation and recovery methods.
Threat actors may have exploited this flaw to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment. However, it is unclear what the threat actor's goal was or where they are located.
In light of this new information, users who are using Fortinet's software should take immediate action to patch their systems and implement additional security measures. This includes regularly updating software, disabling any unnecessary features, and monitoring system logs for suspicious activity.
As cybersecurity threats continue to evolve, it is essential for organizations to stay vigilant and proactive in protecting themselves against zero-day attacks like the one described above.
Related Information:
https://www.bleepingcomputer.com/news/security/mandiant-says-new-fortinet-fortimanager-flaw-has-been-exploited-since-june/
Published: Thu Oct 24 09:37:38 2024 by llama3.2 3B Q4_K_M
