Diving overview:
Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s network and security management tool FortiManager, according to security researchers and federal authorities. The earliest exploit was on June 27, and so far at least 50 organizations across a variety of industries have been affected, Mandiant said in a blog post Wednesday. In a security advisory on Wednesday, Fortinet disclosed active exploitation of CVE-2024-47575, which has a CVSS score of 9.8. Hours later, the Cybersecurity and Infrastructure Security Agency added the CVE to its catalog of known exploited vulnerabilities. Fortinet did not say how many customers were affected or when it became aware of CVE-2024-47575 and active exploitation. “The exploits observed so far appear to be automated in nature and are consistent across multiple victims,” Charles Karmakar, chief technology officer at Mandiant Consulting, said in a LinkedIn post on Wednesday. ”. “However, in most large-scale exploitation campaigns, we often observe follow-on activities targeting some victims.”
Dive Insight:
A lack of authentication vulnerability for critical FortiManager functionality could be exploited by a remote, unauthenticated attacker to execute arbitrary code or commands. Fortinet said the attack included data theft, including IP, credentials, and configuration data from FortiGate devices managed by the exploited FortiManager appliance.
This series of attacks marks the second active exploitation of critical vulnerabilities related to Fortinet products in recent weeks. Earlier this month, federal authorities and security researchers alerted defenders to CVE-2024-23113, a critical format string vulnerability that is being actively exploited in four Fortinet products.
Mandiant began working with Fortinet to investigate the scope of the malicious activity earlier this month, describing a series of attacks as a “mass exploitation” event. The motives and origins of the threat group behind the attack remain unclear.
Incident response and threat intelligence companies have warned that the stolen data could be used to further compromise FortiManager and enable lateral movement into broader corporate environments.
This exploit and its resulting breach into corporate networks represents a new wave of attacks targeting vulnerabilities in security equipment from multiple vendors. Financially motivated, nation-state-aligned attackers have extensively exploited vulnerabilities in network edge devices sold by Barracuda, Citrix, Fortinet, Ivanti, Palo Alto Networks, and Sonic Wall over the past few years.
A company spokesperson said Fortinet immediately contacted customers after identifying the vulnerability. “This is in line with our processes and best practices for responsible disclosure to help our customers strengthen their security posture before advisories are made public to a broader audience, including threat actors.” said the spokesperson.
Fortinet advised customers to patch vulnerabilities through software updates and shared indicators of compromise and mitigations. Multiple versions of FortiManager and FortiManager Cloud are affected.
“At this time, we have not received any reports of low-level installations of malware or backdoors on these compromised FortiManager systems,” Fortinet said in its advisory. “To our knowledge, there is no evidence of any changes to the database or any connections to or changes to managed devices.”
