Full Report
Researchers identified a zero-day vulnerability, CVE-2024-47575, impacting FortiManager, exploited by the UNC5820 group. This flaw allows unauthorized access, enabling threat actors to exfiltrate critical configuration data. The vulnerability has been actively exploited, with ...
Analysis Summary
# Threat Actor: UNC5820
## Attribution & Identity
* **Identification:** UNC5820 (Unique Name/Internal Code utilized by researchers).
* **Aliases:** Not explicitly listed in the provided context, only the UNC designation.
* **Known Associations:** None specified beyond the exploitation of the FortiManager vulnerability.
## Activity Summary
* **Recent Campaigns:** Actively exploiting the newly identified zero-day vulnerability, CVE-2024-47575, which affects Fortinet FortiManager devices.
* **Timeline:** Initial exploitation observed starting in June 2024.
* **Objective:** Unauthorized access to FortiManager instances for the purpose of stealing sensitive configuration data.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploitation of the zero-day vulnerability CVE-2024-47575 in FortiManager.
* *Technical Detail:* The flaw allows remote attackers to execute arbitrary code or commands via the `fgfmd` daemon.
* **Credential Access:** Exfiltration of user credentials stored within the configuration data.
* *MITRE ATT&CK IDs (Inferred based on actions):* T1059 (Command and Scripting Interpreter), T1530 (Data from Information Repositories).
* **Exfiltration:** Staging data (including IP addresses and device information) in compressed files followed by outbound connections to send the data externally.
## Targeting
* **Sectors:** Organizations utilizing Fortinet FortiManager appliances (implied to be high-value targets managing network security infrastructure).
* **Geography:** Not specified in the context.
* **Victims:** Organizations running vulnerable FortiManager instances. Specific organizations were not named.
## Tools & Infrastructure
* **Malware Families Used:** Not specified in the context.
* **Infrastructure (C2, domains, IPs):** Compromised devices made connections to specific, identified IP addresses for staging/exfiltration purposes. (Specific IPs are omitted here as they were not provided in defanged format in the context, but their existence is noted).
## Implications
The active exploitation of a zero-day in a critical management platform like FortiManager poses a significant risk. Successful exploitation grants UNC5820 deep visibility into the victim's network security posture (via configuration data) and access to credentials, allowing for potential follow-on operations or pivot into the environment managed by FortiGate devices.
## Mitigations
* Apply official mitigations and version updates released by Fortinet to address CVE-2024-47575 immediately.
* Monitor FortiManager logs for indicators such as unauthorized device additions or unusual outbound connections following file creation events.
* Review logs for evidence of command execution via the `fgfmd` daemon.