November 1, 2024

Security Detection Update – 2024-10-31

Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

Introduction and Overview

In the dim-lit depths of cyber night,
FortiManager stirs—a familiar fright,
A ghostly flaw in the fgfmsd,
Where authentication's not as it should be.

For years, it lurked in silent code,
Yet once more it’s on the road,
A CVE with numbers dire,
2024-47575, sparking hacker fire.

"Beware the Fortinet ghost!" we jest,
For vulnerabilities haunt their best,
They pop up here, they pop up there,
Forti's vault of flaws laid bare.

But don’t just quake in terror's thrall,
We've got a blog for you and all.
Read up on the ghastly scene,
And stay secure this Halloween!

New/Modified Detections

This update introduces:

Azure: Entra ID Restricted Management Administrative Unit Created

When a new Restricted Management Administrative Unit has been created in your environment. While Administrative Units can be created legitimately by administrators, threat actors could leverage Restricted Management Administrative Units to help set up backdoor access to an Entra directory.

Status: Enabled
Log type requirement: Azure Directory Audit
For more information, see Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence

FortiGate: FortiManager CVE-2024-47575 Missing authentication in fgfmsd

This CVE has been assigned a CVSSv3 score of 9.8 (Critical) as it can allow a remote unauthenticated attacker the ability to execute arbitrary code or commands via specially crafted requests.

The log entry IOCs being monitored for are
msg="Unregistered device localhost add succeeded"
changes="Edited device settings (SN FMG-VMTM23017412)

Status: Enabled
Log type requirement: Fortigate Event
For more information, see FortiManager: Unauthenticated Remote Access Vulnerability - CVE-2024-47575

Google Cloud Platform: Potential Cross Project Image Exfiltration

A compute image has been copied into a destination project from a different source project within your Google Cloud Platform tenant. These events can be cause by legitimate activity. It is possible that this could be the first in a chain of events that can allow a sensitive compute image to be exfiltrated outside of your Google Cloud Platform tenant. This initial step could be an attempt to avoid suspicion by copying the image to a more permissive or less observed project before performing a copy to an external storage solution or cloud-based bucket.

Status: Enabled
Log type requirement: GCP Cloud Audit
For more information, see Google Cloud Platform Exfiltration: A Threat Hunting Guide

IDE Content

FortiManager: Unauthenticated Remote Access Vulnerability - CVE-2024-47575

Tag(s): Product Updates , Blog , Product Release Notes , Detection Update

Amanda Berlin

Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...