A new Fortinet FortiManager flaw dubbed "FortiJump" and tracked as CVE-2024-47575 has been exploited since June 2024 in zero-day attacks on over 50 servers, according to a new report by Mandiant.

For the past ten days, rumors of an actively exploited FortiManager zero-day have been circulating online after Fortinet privately notified customers in an advanced notification security advisory.

Today, Fortinet finally disclosed FortiManager vulnerability, stating it was a missing authentication flaw in the Fortinet created the "FortiGate to FortiManager Protocol" (FGFM) API that allowed unauthenticated attackers to execute commands on the server and managed FortiGate devices.

Threat actors could exploit the flaw by utilizing attacker-controlled FortiManager and FortiGate devices with valid certificates to register themselves to any exposed FortiManager server.

Once their device was connected, even if it was in an unauthorized state, they could exploit the flaw to execute API commands on the FortiManager and steal configuration data about managed devices.

Fortinet has released patches for the CVE-2024-47575 and offered mitigations, such as only allowing specific IP addresses to connect or preventing unknown FortiGate devices from registering using the set fgfm-deny-unknown enable command.

Exploited as a zero-day since June

Tonight, Mandiant reports that a threat actor tracked as UNC5820 has been exploiting FortiManager devices since as early as June 27, 2024.

"UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager," reads the new report from Mandiant.

"This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords."

"This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment."

The first observed attack was seen coming from 45.32.41[.]202, when the threat actors registered an unauthorized FortiManager-VM to an exposed FortiManager server.

This device was listed with the name "localhost" and utilized a serial number of "FMG-VMTM23017412," as shown below.

As part of the attack, Mandiant says four files were created:

• /tmp/.tm - A gzip archive containing exfiltrated information about managed FortiGate devices, information about the FortiManager server, and its global database.
• /fds/data/unreg_devices.txt - Contains the unregistered device's serial number and IP address.
• /fds/data/subs.dat.tmp - Unknown
• /fds/data/subs.dat - This file contained the attacker-controlled device's serial number, user ID, company name, and an email address.

In the first observed attack, the email address was "This email address is being protected from spambots. You need JavaScript enabled to view it.," and the company name was "Purity Supreme."

Mandiant says they analyzed the memory for a compromised device but found no signs of malicious payloads or tampering with system files.

While the attackers did exfiltrate data from devices, Mandiant says there have been no signs that UNC5820 utilized this sensitive information to spread laterally to the managed FortiGate devices or breach networks.

At this point, the stolen data may not be as valuable to the attackers, as Mandiant and Fortinet notified customers of the attacks. Hopefully, the customers modified their credentials and took other precautions.

As there was no follow-up activity after the initial attacks, Mandiant has not been able to determine the threat actor's goal and where they may be located.

"As a result, at the time of publishing, we lack sufficient data to assess actor motivation or location. As additional information becomes available through our investigations, Mandiant will update this blog's attribution assessment," explained Mandiant.

Fortinet shared additional information inn its CVE-2024-47575 (FG-IR-24-423) advisory, including mitigation and recovery methods. The advisory also includes additional IOCs, including other IP addresses used by the attackers and log entries for detecting a compromised FortiManager server.