UNC5820 Exploits FortiManager Flaw, Steals FortiGate Data
Fortinet has disclosed a new vulnerability in FortiManager, dubbed “FortiJump.” According to a Mandiant report, the vulnerability has been actively exploited in zero-day attacks since June 2024, leading to the compromise of more than 50 servers.
Earlier, rumors about a FortiManager vulnerability had circulated online after Fortinet privately notified its clients. Today, the company confirmed the issue, stating that it is linked to the lack of authentication in the “FortiGate to FortiManager Protocol” (FGFM) API.
Malicious actors exploited the vulnerability by registering their FortiManager and FortiGate devices on vulnerable servers using forged certificates. Once connected to the server, even if the device was unauthorized, attackers could execute API commands and steal configuration data from managed devices.
Fortinet has released patches to address the vulnerability CVE-2024-47575 (CVSS score: 9.8) and recommended preventive measures, such as restricting access by IP addresses and using commands to block unknown devices.
Since June 2024, the vulnerability has been exploited by the hacking group UNC5820, which compromised FortiManager devices and stole configuration data from FortiGate managed devices, including user passwords encrypted by the FortiOS256 algorithm. The stolen data could potentially be used for further compromises of FortiManager and other devices within corporate networks.
In the first recorded attack, cybercriminals registered an unauthorized virtual FortiManager device. During the attack, several files were created containing data about the FortiManager server and managed devices, along with an archive holding information on FortiGate devices and details about the hackers’ device, including its serial number and email address.
Despite the data theft, Mandiant has not yet found evidence that the stolen data was used for further infiltration of networks or FortiGate devices. Experts speculate that the information may now be outdated, as Fortinet clients have likely changed their credentials and implemented additional security measures.
Mandiant continues its investigation but has not yet determined the attackers’ motives or their location. As new information emerges, experts will update their findings.
