Mandiant has released details about the exploitation of a zero-day vulnerability in FortiManager (CVE-2024-47575), which they first observed being exploited in June 2024. This vulnerability allows attackers to execute arbitrary code on affected devices.
What I found particularly interesting is how the threat cluster, tracked as UNC5820, staged and exfiltrated configuration data from FortiGate devices managed by the exploited FortiManager. This detail highlights how crucial it is to protect the management infrastructure of security, such as FortiManager, as compromising it can have cascading effects on the entire network.
Fortunately, Mandiant did not find evidence that UNC5820 leveraged the stolen configuration data to move laterally within the victims' environments. However, the fact that they made an effort to steal this information suggests that they likely planned to further exploit the compromised access.
This incident served as a good reminder of how important it is to remain vigilant about network security. Keeping systems updated with security patches, monitoring for suspicious activities, and implementing the principle of least privilege can significantly reduce the risk of falling victim to such attacks.
