From f74560c80ff46bc349da26ec899b34e9cbc6c972 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Fri, 1 Nov 2024 10:43:27 -0700
Subject: [PATCH] [threat-actors] Add UNC5820

---
 clusters/threat-actor.json | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e07cb1c..d45caec 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -17061,6 +17061,16 @@
       },
       "uuid": "8bd29f1a-ea33-49c2-a783-42cd2a193f83",
       "value": "OverFlame"
+    },
+    {
+      "description": "UNC5820 is a threat actor exploiting the CVE-2024-47575 vulnerability in Fortinet's FortiManager, allowing them to bypass authentication and execute arbitrary commands. They have been observed exfiltrating configuration data, user information, and FortiOS256-hashed passwords from managed FortiGate devices. While the actor has staged and exfiltrated sensitive data, there is currently no evidence of lateral movement or further compromise of additional environments. Mandiant has not determined whether UNC5820 is state-sponsored or identified its geographic location.",
+      "meta": {
+        "refs": [
+          "https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575/"
+        ]
+      },
+      "uuid": "e13e36e7-a75b-42fa-8d51-35f9eeafebfc",
+      "value": "UNC5820"
     }
   ],
   "version": 318