5 Things To Know On The Fortinet FortiManager Attacks

A suspected nation-state campaign has been targeting FortiManager customers — likely including MSPs — since at least late June, according to security researchers.

The attacks exploiting a critical-severity vulnerability in Fortinet FortiManager are likely targeting MSPs in a nation-state espionage campaign, according to a security researcher.

In a post Tuesday, well-known researcher Kevin Beaumont noted that MSPs are frequently the users of the FortiManager management tool, suggesting that these service providers are likely among the targets of the attacks.

Fortinet publicly disclosed the vulnerability Wednesday, and security researchers, including from Google Cloud-owned Mandiant and Rapid7, have provided further details following the public confirmation by Fortinet.

CRN reached out to Fortinet for comment Thursday.

The vulnerability (tracked at CVE-2024-47575) has received a rating of “critical,” with a severity score of 9.8 out of 10.0. The “missing authentication for critical function vulnerability” can allow an attacker to execute code remotely using “specially crafted requests,” Fortinet said in its advisory.

What follows are five key things to know on the Fortinet FortiManager attacks.

‘Mass Exploitation’ Observed

In a post Wednesday, security researchers at Mandiant said the attacks exploiting the vulnerability can be traced back at least as far as late June. “Mandiant’s earliest observed exploitation attempt occurred on June 27, 2024,” the researchers said in the post.

As of this month, Mandiant has been working with Fortinet “to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries,” the researchers wrote.

Mandiant researchers said that after compromising FortiManager, the attackers have been observed exfiltrating configuration data for FortiGate firewall devices that have been managed using the tool.

The exfiltrated data could then be used “to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment,” Mandiant researchers wrote.

Private Warning Preceded Public Disclosure

Fortinet privately warned customers about the FortiManager vulnerability beginning Oct. 13, according to a BleepingComputer report.

The existence of the flaw subsequently was also mentioned online prior to Fortinet’s advisory Wednesday, including by Beaumont, who dubbed the flaw “FortiJump.”

“I’m not confident that Fortinet’s narrative that they’re protecting customers by not publicly disclosing a vulnerability is protecting customers,” he wrote in a post on Medium, prior to the Fortinet advisory Wednesday. “It doesn’t protect anybody by not being transparent.”

On Wednesday, Fortinet said in a statement that after the vulnerability was identified, the vendor “promptly communicated critical information and resources to customers.”

This approach was “in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors,” the company said in the statement Wednesday.

MSPs Likely Targeted

Threat actors are well known for tactics targeting MSPs as a way to gain access to a service provider’s end customers — frequently by compromising platforms used by MSPs to manage customer devices and environments.

In his Medium post, Beaumont suggested that this has likely been a component of the attacks targeting FortiManager users — given that from the system, “you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations.”

“Because MSPs — Managed Service Providers — often use FortiManager, you can use this to enter internal networks downstream,” Beaumont wrote.

Suspected Nation-State Campaign

In a post Wednesday, Caitlin Condon, director of vulnerability research and intelligence at Rapid7, noted that Fortinet’s advisory “doesn’t include any information about specific adversaries exploiting the vulnerability.”

However, “Fortinet devices have long been popular targets for state-sponsored threat actors,” Condon wrote.

Mandiant has attributed the attacks to a group tracked as UNC5820, though “at the time of publishing, we lack sufficient data to assess actor motivation or location,” according to the post from Mandiant researchers Wednesday.

Mandiant's "UNC" designation is frequently used to refer to threat actors suspected of having links to nation-state sponsors.

Beaumont said in his post that it appears the FortiManager vulnerability has been “used by nation state [attackers] in espionage via MSPs.”

Fixes Available

Fortinet has released fixes for the vulnerability in affected versions of FortiManager and FortiManager Cloud.

The cybersecurity vendor said in its advisory Wednesday that it’s urging customers to “follow the guidance provided to implement the workarounds and fixes.”

Versions of FortiManager that are impacted by the issue include 6.2, 6.4, 7.0, 7.2, 7.4 and 7.6. The flaw also affects FortiManager Cloud 6.4, 7.0, 7.2 and 7.4, according to Fortinet.