Mandiant researchers first observed exploitation activity against CVE-2024-47575 on June 27, with more than 50 FortiManager devices compromised since.
A critical zero-day vulnerability in Fortinet's FortiManager has been under attack since at least late June, according to new research from Mandiant.
In a blog post published Wednesday evening, Mandiant researchers said they collaborated with Fortinet to investigate exploitation activity against CVE-2024-47575, a missing authentication vulnerability in the FortiManager product management tool. The zero-day flaw was publicly disclosed Wednesday, but Fortinet had privately notified customers about CVE-2024-47575 earlier this month and reports of the vulnerability began to surface last week.
Mandiant said it investigated "mass exploitation" of the FortiManager flaw in more than 50 compromised devices across a variety of industries. Additionally, the Google Cloud-owned cybersecurity company said the vulnerability has been under attack for several months.
"Mandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024," the blog post said. "UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords."
Mandiant said such data could allow UNC5820 actors to further compromise FortiManager devices and move laterally to other managed Fortinet devices and into victims' networks. However, the researchers said there is no evidence that threats actors have used the configuration data for lateral movement, and they have insufficient data to assess the threat actors' motives or location.
The earliest exploitation attempt was observed by Mandiant on June 27 when an IP address, 45.32.41[.]202, connected to multiple FortiManager devices via the default port TCP/541. The activity included the staging of a collection of Fortinet configuration files in a Gzip-compressed archive.
"On Sept. 23, 2024, Mandiant observed a second exploitation attempt with the same indicators. In both exploitation events, outbound network traffic occurred shortly after the archive creation," the blog post said.
During the second exploitation instance, Mandiant researchers found the threat actor's device was registered to the targeted FortiManager instance. "Once the threat actor successfully exploited the FortiManager, their unknown Fortinet device appeared in the FortiManager console."
An indicator of successful exploitation is the addition of an unauthorized device serial number, FMG-VMTM23017412, and its 45.32.41[.]202 IP address to FortiManager consoles, Mandiant said.
The company urged Fortinet customers to limit access to the FortiManager administrator portal to only approved, internal IP addresses; restructure FortiManager communications to permitted FortiGate addresses; and deny unknown FortiGate devices from connecting with FortiManager.
Mandiant also confirmed that Fortinet privately notified customers about CVE-2024-47575 prior to the public disclosure. "In addition to collaborating with Mandiant, Fortinet proactively sent advance communications to its customers as an early warning on their advisory to enable customers to strengthen their security posture prior to broad public disclosure."