Fortinet Updates Guidance and Indicators of Compromise following FortiManager Vulnerability Exploitation

    Thursday, October 31, 2024 In: Threat Research Print

    Date: 10/31/2024

    Severity: High

    Summary

    The report "Fortinet Updates Guidance and Indicators of Compromise Following FortiManager Vulnerability Exploitation" addresses a critical vulnerability in the FortiManager fgfmd daemon, classified as a missing authentication issue (CWE-306). This flaw may allow remote unauthenticated attackers to execute arbitrary code or commands through specially crafted requests. In response, Fortinet has updated its guidance and provided indicators of compromise (IOCs) to help organizations identify and mitigate potential threats. The updates emphasize the urgency of patching affected systems to enhance security and prevent exploitation.

    Indicators of Compromise (IOC) List

    IP Address

    45.32.41.202

    104.238.141.143

    158.247.199.37

    45.32.63.2

    80.66.196.199

    104.238.141.143

    158.247.199.37

    195.85.114.78 

    172.232.167.68

    Filenames

    /tmp/.tm

    /var/tmp/.tm

    Serial Number

    FMG-VMTM23017412

    FMG-VMTM19008093

    Log entries

    type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log",user="device,...",msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded"

     

    type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at,notice,level",user="System",userfrom="",msg="" adom="root" session_id=0 operation="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)"

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("45.32.41.202","104.238.141.143","158.247.199.37","45.32.63.2","80.66.196.199","104.238.141.143","158.247.199.37","195.85.114.78","172.232.167.68") or ipaddress IN ("45.32.41.202","104.238.141.143","158.247.199.37","45.32.63.2","80.66.196.199","104.238.141.143","158.247.199.37","195.85.114.78","172.232.167.68") or publicipaddress IN ("45.32.41.202","104.238.141.143","158.247.199.37","45.32.63.2","80.66.196.199","104.238.141.143","158.247.199.37","195.85.114.78","172.232.167.68") or srcipaddress IN ("45.32.41.202","104.238.141.143","158.247.199.37","45.32.63.2","80.66.196.199","104.238.141.143","158.247.199.37","195.85.114.78","172.232.167.68")

    Detection Query 2

    ResourceName = "Fortinet" AND fwdevid in ("FMG-VMTM23017412","FMG-VMTM19008093")

    Detection Query 3

    technologygroup = "EDR" AND fwdevid in ("FMG-VMTM23017412","FMG-VMTM19008093")

    Detection Query 4

    (resourcename in ("Windows Security") AND eventtype = "4663") AND objectname in ("/tmp/.tm","/var/tmp/.tm")

    Detection Query 5

    (technologygroup = "EDR") AND objectname in ("/tmp/.tm","/var/tmp/.tm")

    Reference: 

    https://www.cisa.gov/news-events/alerts/2024/10/30/fortinet-updates-guidance-and-indicators-compromise-following-fortimanager-vulnerability

    https://fortiguard.fortinet.com/psirt/FG-IR-24-423


    Tags

    MalwareCISAExploitation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.