Log in

FortiJump: The FortiManager Zero-Day Vulnerability Explained

David Langlands

What happened

On October 23rd, 2024, a zero-day vulnerability in Fortinet’s FortiManager, dubbed "FortiJump," was disclosed as being exploited in the wild. Assigned CVE-2024-47575, the vulnerability allows attackers to execute code remotely on FortiManager devices without authentication.

Why it matters

The root cause lies in the fgfmd daemon, a crucial component of the FortiGate to FortiManager (FGFM) protocol, responsible for communication between FortiGate firewalls and the centralized FortiManager. Exploiting this flaw enables attackers to exfiltrate sensitive configuration data from managed FortiGate devices, including IP addresses, hashed passwords, and detailed network settings. This stolen information could be used to compromise the FortiGate firewalls directly, alter configurations, and pivot to other systems within the network.

Who’s involved

Security researchers at Google/Mandiant investigated the exploitation with Fortinet, identifying a new threat cluster, UNC5820, as the perpetrator. Their analysis revealed that UNC5820 exploited this vulnerability as early as June 2024. Although Fortinet released an advisory and patches for affected versions, concerns remain about the delayed public disclosure and the availability of patches for all vulnerable versions.

Todyl’s response

Upon disclosure on October 23rd, Todyl deployed proactive measures to detect and respond to the FortiJump vulnerability:

  • New detections: We developed and released specific detections to identify exploit attempts targeting FortiManager devices, leveraging insights from the referenced research and known indicators of compromise (IoCs). These detections have been integrated into our security monitoring systems.
  • Targeted threat hunts: We have initiated threat hunting operations across our network and customer environments to search for any evidence of compromise related to FortiJump. These hunts involved analyzing network traffic, logs, and system configurations for suspicious patterns and IoCs.  While we uncovered evidence of attempted compromise related to this CVE, we observed no successful attempts.

Söze similarities

We leveraged our active research on the Söze Syndicate threat group to analyze the TTPs with this new vulnerability.  Some IoCs listed in Fortinet's report matched those discovered in Todyl's investigation of the Söze Syndicate. As a part of our efforts, we have identified many additional IoCs related to this campaign. Todyl is continually monitoring and collaborating with our partners to further identify additional indicators that may be useful in this or other investigations.  

These findings helped Todyl deliver:

  • Faster detection and response: We rapidly identify and react to potential threats related to FortiJump due to our prior awareness of the malicious infrastructure. This expedited response significantly minimized potential damage.
  • Improved threat intelligence: This incident enhanced our understanding of UNC5820 with valuable data, showing how their TTPs differ from those observed from Söze. By analyzing the connections between these seemingly separate actors, we can refine our defenses against future attacks.

What to do / Countermeasures

Organizations using FortiManager should take immediate steps to mitigate their risk as recommended by Fortinet:

Immediate actions

  • Upgrade: Implement the latest patched version of FortiManager as soon as possible.
  • Limit access: Restrict access to the FortiManager admin portal to authorized internal IP addresses only.
  • Whitelist FortiGates: Configure local-in policies to permit only known and trusted FortiGate devices to communicate with FortiManager on port 541.
  • Deny unknown devices: Enable the fgfm-deny-unknown setting to prevent registration of unknown FortiGate devices. This setting is available in FortiManager versions 7.0.12 or above, 7.2.5 or above, and 7.4.3 or above (excluding 7.6.0).

Additional recommendations

  • Use a custom certificate: Consider implementing a custom certificate for FGFM communication to enhance security. Install this certificate on authorized FortiGate devices to prevent unauthorized connections.
  • Monitor logs: Actively monitor FortiManager logs for suspicious activities, particularly events related to device registration and modifications.
  • Change credentials: Change all credentials, including passwords and user-sensitive data, on managed FortiGate devices to mitigate the risk of compromise.

Wrap-up

While immediate steps have been taken to address FortiJump, ongoing vigilance is paramount. We remain committed to:

  • Continuous monitoring for new developments and emerging threats targeting FortiManager and FortiGate devices, including tracking new attack techniques, IOCs, and threat actor activity.
  • Collaboration with law enforcement and ISPs to share threat intelligence and identify other suspicious activities to disrupt malicious infrastructure and prevent further exploitation.
  • Ongoing enhancement of our and our partners’ security posture, implementing robust controls, conducting vulnerability assessments, and fostering a security-aware culture.

We urge all organizations to patch vulnerable systems, implement the recommended mitigations, and maintain heightened awareness to protect against this and future threats.

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.
Log in  >
Get a demo  >
Request pricing  >
Todyl Logo
Platform
SASESIEMEDR/NGAVMXDRGRC
Solutions
Modular and Scalable
SecurityModernize Cybersecurity
StrategyConsolidate with Single
Agent
Empower IT to Own
CybersecurityMaximize Cybersecurity
Resources
Resources
Resource Center
Blog
Insights
Todyl
About UsChannel PartnersContact
© Todyl 2024
PrivacyTerms & ConditionsSystem Description