Attackers Exploit Unauthenticated Access to Steal Data
Threat actors were able to take advantage of the vulnerability by using attacker-controlled FortiManager and FortiGate devices with valid certificates. Once connected to an exposed FortiManager server, they could execute API commands and steal sensitive configuration data from the managed devices.
Fortinet has since issued patches and recommended mitigation methods, such as restricting connections to specific IP addresses and enabling the fgfm-deny-unknown command to prevent unregistered devices from connecting.
Exploited by UNC5820 Threat Actor Since June 2024
Mandiant reports that a threat actor tracked as UNC5820 has been exploiting FortiManager systems since as early as June 27, 2024. The attackers exfiltrated configuration data from FortiGate devices managed by FortiManager, including user credentials and FortiOS256-hashed passwords.
This stolen data could allow the attackers to further compromise the FortiManager, infiltrate the connected FortiGate devices, and potentially expand their reach within enterprise environments.
Mandiant Uncovers Attack Chain and Exploited Devices
The first attack was observed coming from IP address 45.32.41[.]202, where the attackers registered an unauthorized FortiManager-VM to an exposed FortiManager server. The malicious device was listed as “localhost” and used a fake serial number to blend in. Mandiant discovered that the attackers created multiple files during the breach, including gzip archives of exfiltrated data and information about unregistered devices.
Attacker-controlled FortiManager-VM
Source: Mandiant
However, Mandiant’s investigation revealed no malicious payloads or signs of further tampering with the system files. The attackers have so far only been observed stealing configuration data.