Mitigation and response: In addition to the hotfix, organizations should review their available logs for any suspicious API requests and activity. Unfortunately, there are no published indicators of compromise for this malicious activity yet, so watchTowr recommends auditing all recent changes made to endpoint security policies, VPN configuration profiles, application firewall rules, administrator accounts and access controls, and endpoint compliance configurations.”If compromise is suspected, do not attempt to clean the affected instance in place,” the researchers said. “Restore from a known-good backup taken before the likely compromise window, or rebuild the EMS instance and migrate the data to it. Where integrity cannot be confidently verified, a full rebuild is the most defensible approach.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4155221/fortinet-releases-emergency-hotfix-for-forticlient-ems-zero-day-flaw.html
