Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Introduction and Overview
In the dim-lit depths of cyber night, FortiManager stirs—a familiar fright, A ghostly flaw in the fgfmsd, Where authentication's not as it should be.
For years, it lurked in silent code, Yet once more it’s on the road, A CVE with numbers dire, 2024-47575, sparking hacker fire.
"Beware the Fortinet ghost!" we jest, For vulnerabilities haunt their best, They pop up here, they pop up there, Forti's vault of flaws laid bare.
But don’t just quake in terror's thrall, We've got a blog for you and all. Read up on the ghastly scene, And stay secure this Halloween!
New/Modified Detections
This update introduces:
Azure: Entra ID Restricted Management Administrative Unit Created
When a new Restricted Management Administrative Unit has been created in your environment. While Administrative Units can be created legitimately by administrators, threat actors could leverage Restricted Management Administrative Units to help set up backdoor access to an Entra directory.
FortiGate: FortiManager CVE-2024-47575 Missing authentication in fgfmsd
This CVE has been assigned a CVSSv3 score of 9.8 (Critical) as it can allow a remote unauthenticated attacker the ability to execute arbitrary code or commands via specially crafted requests.
The log entry IOCs being monitored for are msg="Unregistered device localhost add succeeded" changes="Edited device settings (SN FMG-VMTM23017412)
Google Cloud Platform: Potential Cross Project Image Exfiltration
A compute image has been copied into a destination project from a different source project within your Google Cloud Platform tenant. These events can be cause by legitimate activity. It is possible that this could be the first in a chain of events that can allow a sensitive compute image to be exfiltrated outside of your Google Cloud Platform tenant. This initial step could be an attempt to avoid suspicion by copying the image to a more permissive or less observed project before performing a copy to an external storage solution or cloud-based bucket.
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
