Mandiant researchers say a new threat group, first observed on June 27, has been exploiting a Fortinet zero-day attack that the networking device maker recently disclosed. The researchers said they are unable to assess the threat actor’s motivation or location.

So far, it appears the threat actor has not used stolen Fortinet device configuration data to dig deeper into targets’ networks, the Google-owned threat intelligence firm said Wednesday. The researchers said they lack data to assess the threat actor’s motivation or location.

Fortinet said an actively exploited flaw identified as CVE-2024-47575 in its centralized management platform FortiManager allows unauthenticated remote hackers to execute arbitrary code or commands. On-premises and cloud instances are affected. The company said Wednesday it has not received reports of hackers exploiting the flaw to install malware or backdoors. “To our knowledge, there have been no indicators of modified databases, or connections and modifications to managed devices,” a spokesperson said.
The “FortiJump” vulnerability was detected by cybersecurity researcher Kevin Beaumont, who raised the possibility of a new Fortinet zero-day on Oct. 13, and who has repeatedly criticized Fortinet for a lack of transparency.

The flaw, also known as FG-IR-24-423, is a critical remote unauthenticated vulnerability with a CVSS score of 9.8. It leverages a setting that allows any known or unknown device to connect to FortiManager.

Mandiant said the campaign began with the attackers sending messages from an identified IP address. “At approximately the same time, the file system recorded the preparation of several Fortinet configuration files in a Gzipped archive named /tmp/.tm.” The archive contained files, including a folder of configuration files for FortiGate devices.
Google Mandiant detected a second set of similar activities in September, though it did not detect any subsequent malicious activity on the compromised devices.

Mandiant alerted Fortinet about the incidents, and it published remedial measures on Wednesday.

National cybersecurity agencies around the world urged companies to protect themselves, including Australia’s Cyber ​​Security Centre and the UK’s National Cyber ​​Security Centre.

Author:
Ramon Antonio Vicente Espinal.