Mandiant Finds UNC5820 FortiManager For Data Exfiltration
The configuration information of the FortiGate devices controlled by the compromised FortiManager was staged and exfiltrated by UNC5820
Furthermore, as of this point in Google cloud study, there is no proof that UNC5820 used the configuration data it had acquired to migrate laterally and endanger the environment even more
The first known instance of Mandiant being exploited was on June 27, 2024. Several FortiManager devices were connected to the default port TCP/541 on that day via the IP address 45[.]32[.]41[.]202
Mandiant noticed a second attempt at exploitation using the same symptoms on September 23, 2024. Outgoing network traffic happened soon after the archive was created in both exploitation scenarios
Mandiant examined rootfs.gz, the device’s initramfs (RAM disk) that is mounted to /bin. During the period of exploitation activity, did not discover any malicious files that had been produced or altered
Apart from working with Mandiant, Fortinet made aggressive efforts to notify its clients in advance of their advise so that they may improve their security posture before it was widely made public
The threat actor’s unknown Fortinet device showed up in the FortiManager console after they had successfully exploited the FortiManager