Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
In the dim-lit depths of cyber night,
FortiManager stirs—a familiar fright,
A ghostly flaw in the fgfmsd,
Where authentication's not as it should be.
For years, it lurked in silent code,
Yet once more it’s on the road,
A CVE with numbers dire,
2024-47575, sparking hacker fire.
"Beware the Fortinet ghost!" we jest,
For vulnerabilities haunt their best,
They pop up here, they pop up there,
Forti's vault of flaws laid bare.
But don’t just quake in terror's thrall,
We've got a blog for you and all.
Read up on the ghastly scene,
And stay secure this Halloween!
This update introduces:
When a new Restricted Management Administrative Unit has been created in your environment. While Administrative Units can be created legitimately by administrators, threat actors could leverage Restricted Management Administrative Units to help set up backdoor access to an Entra directory.
This CVE has been assigned a CVSSv3 score of 9.8 (Critical) as it can allow a remote unauthenticated attacker the ability to execute arbitrary code or commands via specially crafted requests.
The log entry IOCs being monitored for aremsg="Unregistered device localhost add succeeded"changes="Edited device settings (SN FMG-VMTM23017412)
A compute image has been copied into a destination project from a different source project within your Google Cloud Platform tenant. These events can be cause by legitimate activity. It is possible that this could be the first in a chain of events that can allow a sensitive compute image to be exfiltrated outside of your Google Cloud Platform tenant. This initial step could be an attempt to avoid suspicion by copying the image to a more permissive or less observed project before performing a copy to an external storage solution or cloud-based bucket.