One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8601766 |
| Date de publication | 2024-10-25 19:35:23 (vue: 2024-10-25 20:07:18) |
| Titre | Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) |
| Texte | ## Snapshot Mandiant researchers identified a zero-day exploitation of FortiManager appliances, [CVE-2024-47575](https://security.microsoft.com/intel-explorer/cves/CVE-2024-47575/), which allowed threat actors to execute arbitrary code or commands on over 50 potentially compromised devices across various industries. ## Description The threat cluster, tracked as UNC5820, exploited this vulnerability as early as June 27, 2024, staging and exfiltrating configuration data from FortiGate devices managed by FortiManager. This data included detailed configuration information, user details, and FortiOS256-hashed passwords, which could enable further compromise and lateral movement within enterprise environments. The initial exploitation attempts were traced to an IP address that connected to a FortiManager device on the default port TCP/541. Subsequent outbound traffic with data sizes slightly larger than the staged Gzip-compressed archive indicated exfiltration to various IP addresses. The unauthorized FortiManager device used by the threat actor was registered to the targeted FortiManager, and its presence was confirmed in the FortiManager console and various configuration files. Although Mandiant\'s investigation did not reveal the specific requests used to exploit the vulnerability, nor evidence of lateral movement or further compromise using the obtained data, the analysis of memory images and logs provided additional indicators of the threat actor\'s activity. Google Cloud notified affected customers and developed detections for the exploitation attempts. Fortinet also communicated with its customers to alert them of the vulnerability. Despite the lack of follow-on malicious activity found in the device\'s initramfs, the investigation highlighted the need for organizations with internet-exposed FortiManager devices to conduct immediate forensic investigations. ## Microsoft Analysis and Additional OSINT Context On October 23rd, 2024, Fortiguard released a security advisory warning of the potential for arbirtrary code execution and included IOCs, log entries, and recovery methods. More information can be found [here](https://www.fortiguard.com/psirt/FG-IR-24-423#new_tab). CISA also recognized the vulnerability and addit to the [Known Exploited Vulnerabilities catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog), urging federal agencies and all organizations to apply all applicable patches to mitigate the ongoing exploitation. This critical vulnerability poses significant risks and has already resulted in ransomware attacks, [emphasizing the urgent need for remediation.](https://www.cisa.gov/news-events/alerts/2024/10/23/cisa-adds-one-known-exploited-vulnerability-catalog) ## Recommendations FortiGuard recommends the following actions to mitigate the impact of this threat: For FortiManager if you are using the following versions, an upgraded is needed. - 7.6.0: Upgrade to 7.6.1 or above. - 7.4.0 - 7.4.4: Upgrade to 7.4.5 or above. - 7.2.0 - 7.2.7: Upgrade to 7.2.8 or above. - 7.0.0 - 7.0.12: Upgrade to 7.0.13 or above. - 6.4.0 - 6.4.14: Upgrade to 6.4.15 or above. - 6.2.0 - 6.2.12: Upgrade to 6.2.13 or above. FortiManager Cloud - 7.6: Not affected. - 7.4.1 - 7.4.4: Upgrade to 7.4.5 or above. - 7.2.1 - 7.2.7: Upgrade to 7.2.8 or above. - 7.0.1 - 7.0.12: Upgrade to 7.0.13 or above. - 6.4: Migrate to a fixed release. FortiManager on FortiAnalyzer - - 1000E, 1000F - 2000E - 3000E, 3000F, 3000G - 3500E, 3500F, 3500G - 3700F, 3700G - 3900E To determine if the FortiManager on FortiAnalyzer feature is enabled, use the command below: `config system global` `set fmg-status enable` `end` If the fmg-status is set to enable, and at least one interface with the fgfm service enabled, the device is impacted by this vulnerability.To mitigate this vulnerability, upgrade to the recommended versions or apply the necessary patches as specified for the device model. |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 1000e 1000f 12: 14: 2000e 2024 2024** 23rd 3000e 3000f 3000g 3500e 3500f 3500g 3700f 3700g 3900e 423#new 47575 47575/ `config `end` `set above accessed across actions activity actor actors addit additional address addresses adds advisory affected agencies alert all allowed already also although analysis any appliances applicable apply arbirtrary arbitrary archive are attacks attempts authentication below: can catalog cisa cloud cluster code com/blog/topics/threat com/intel com/psirt/fg command commands communicated compressed compromise compromised conduct configuration confirmed connected console content context copyright could critical customers cve data day default description despite detailed details detections determine developed device devices did distribution early emphasizing enable enable` enabled enterprise entries environments events/alerts/2024/10/23/cisa evidence execute execution exfiltrating exfiltration exploit exploitation exploited explorer/cves/cve exposed feature federal fgfm fgfmsd files fixed fmg follow following forensic fortianalyzer fortigate fortiguard fortimanager fortinet fortios256 found found from further global` google gov/known gov/news gzip has hashed here highlighted https://cloud https://security https://www id=cve identified images immediate impact impacted included indicated indicators industries information initial initramfs intelligence/fortimanager interface internet investigating investigation investigations iocs its june known labs lack larger lateral least log logs malicious managed mandiant memory methods microsoft migrate missing mitigate mitre model more movement necessary need needed nor not notified obtained october offortimanager one ongoing org/cverecord organizations osint outbound over part passwords patches permission port poses potential potentially presence prohibited provided ransomware recognized recommendations recommended recommends recovery references registered release released remediation reproduction requests researchers reserved resulted reveal rights risks security service set significant site sizes slightly snapshot specific specified staged staging status subsequent system tab targeted tcp/541 than them thereof threat threat: traced tracked traffic unauthorized unc5820 upgrade upgraded urgent urging use used user using various versions vulnerabilities vulnerability warning which within without written zero fortimanager |
| Tags | Ransomware Vulnerability Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.