New Threat Group UNC5820 Targets FortiManager Zero-Day CVE-2024-47575 in Global Cyberattack

In October 2024, Mandiant, in collaboration with Fortinet, uncovered the mass exploitation of FortiManager appliances across multiple industries. This zero-day vulnerability, designated as CVE-2024-47575, allows malicious actors to execute arbitrary code or commands on vulnerable FortiManager devices, leading to significant security risks.

Mandiant’s investigation tracked the emergence of a new threat group, UNC5820, which exploited this vulnerability as early as June 27, 2024. According to the report, “UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager.” This data included configuration information and user credentials, which could allow further compromise of the FortiManager and the devices it managed.

The exploitation impacted more than 50 FortiManager devices globally. Mandiant noted that, despite the severity of the breach, “there is no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment.” However, the potential for future attacks remains significant, with UNC5820’s access to sensitive information giving them the ability to target entire enterprise networks managed by FortiGate devices.

Initial exploitation attempts were detected on June 27, 2024, when multiple FortiManager devices received inbound connections from a malicious IP address (45.32.41.202) via the default port TCP/541. Shortly thereafter, an archive file containing sensitive configuration data was staged. Mandiant reported a second wave of exploitation on September 23, 2024, exhibiting similar indicators of compromise.

The threat actors’ device became registered within the FortiManager system, adding it to the Global Objects database, allowing them to masquerade as an authorized FortiManager. “An additional indicator of successful exploitation is the addition of the unauthorized device serial number FMG-VMTM23017412,” noted Mandiant, alongside the malicious IP address used in the breach.

Despite the breadth of this attack, Mandiant’s forensic analysis did not uncover malicious files in the systems’ root filesystem that would indicate follow-on activities. However, the captured configuration data poses a continued threat, potentially facilitating future compromises.

In response to these attacks, Fortinet worked closely with Mandiant to develop and implement mitigation strategies. Mandiant strongly recommended that organizations restrict access to FortiManager devices and prevent unauthorized FortiGate addresses from interacting with them. Fortinet has also released software patches addressing this vulnerability in versions 7.2.5, 7.0.12, and 7.4.3.

Mandiant concluded their report by advising organizations whose FortiManager appliances are exposed to the internet to conduct immediate forensic investigations.

Related Posts:

• Fortinet Warns of Actively Exploited Flaw in FortiManager: CVE-2024-47575 (CVSS 9.8)
• Mandiant Exposes Ongoing Exploits Against Citrix Users
• Citrix and Mandiant: Warning the Exploits of CVE-2023-4966
• Cyber Espionage Alert: APT41 Strikes Global Industries, Steals Sensitive Data
• Cyber Threats Intensify in Mexico: Insights from Mandiant on Espionage and Extortion