The recent findings from Darktrace’s Threat Research team shed light on active exploitation campaigns targeting Fortinet appliances. Specifically, the analysis delves into the September 2024 exploitation of FortiManager through CVE-2024-47575 and related malicious activities noted in June 2024.
Fortinet devices, such as FortiManager, play a crucial role in managing network devices within organizations. These devices communicate using a custom protocol known as FortiGate to FortiManager (FGFM) over port 541. The vulnerabilities within the FGFM protocol, such as CVE-2024-23113 and CVE-2024-47575, can potentially allow threat actors to execute remote commands on the devices.
Darktrace’s investigation revealed a surge in suspicious activities involving Fortinet devices, particularly in mid-September 2024. The analysis uncovered a series of post-exploitation activities targeting FortiManager devices, including initial exploitation, payload retrieval, and data exfiltration. These activities were conducted by threat actors leveraging the vulnerabilities present in Fortinet devices.
One of the key indicators of compromise (IoCs) identified during the investigation was the incoming connectivity over TLS/SSL to FortiManager devices on port 541. This unusual traffic pattern, followed by outgoing SSL connections to the same external IP address, pointed towards potential exploitation of CVE-2024-47575. Additionally, the retrieval of JavaScript content via HTTP requests using the curl user agent indicated malicious intent.
Furthermore, the data exfiltration phase involved HTTP POST requests to specific external IPs, such as 104.238.141[.]143 and 158.247.199[.]37, with filenames like “.tm.” The use of curl as a user agent in these requests suggested command-line interaction and potential exfiltration of sensitive configuration data. The delay between the initial access and exfiltration of data indicated a strategic pause by threat actors to avoid detection.
In a similar vein, Darktrace also detected malicious activities in June 2024, which mirrored the behaviors observed in September. These activities, potentially linked to CVE-2024-47575 exploitation, targeted Fortinet devices across various sectors and regions. However, deviations in the observed behaviors hinted at the involvement of different threat actors or campaigns sharing infrastructure.
The insights gleaned from Darktrace’s investigation underscore the importance of proactive threat detection and response mechanisms. By leveraging anomaly-based detection tools and closely monitoring network traffic patterns, organizations can thwart exploitation attempts and safeguard their critical assets. Maintaining robust security practices, such as adhering to the principle of least privilege and ensuring proper asset management, is crucial in mitigating cyber threats.
In conclusion, the analysis of post-exploitation activities on Fortinet devices serves as a stark reminder of the persistent threats faced by organizations in the cybersecurity landscape. By staying vigilant, adopting advanced detection technologies, and following best security practices, businesses can stay one step ahead of threat actors and protect their digital infrastructure effectively.