November 16, 2024 at 02:24AM
A threat actor named BrazenBamboo has exploited a zero-day vulnerability in Fortinet’s FortiClient for Windows to extract VPN credentials using a tool called DEEPDATA. Discovered by Volexity, this malware, used in cyber espionage, is part of a broader framework encompassing various communication platforms and data exfiltration capabilities.
### Meeting Takeaways
1. **Threat Identification**:
– The threat actor “BrazenBamboo” has exploited a zero-day vulnerability in Fortinet’s FortiClient for Windows.
– This exploitation allows the extraction of VPN credentials.
2. **Modular Framework – DEEPDATA**:
– DEEPDATA is a modular post-exploitation tool targeting Windows systems, developed by BrazenBamboo.
– It includes a dynamic-link library (DLL) loader (“data.dll”) that decrypts and launches multiple plugins, including one targeting FortiClient for credential extraction.
3. **Zero-Day Exploit**:
– The vulnerability was identified in July 2024, but remains unpatched despite being reported to Fortinet on July 18, 2024.
4. **Associated Tools**:
– **DEEPPOST**: A tool for data exfiltration capable of transferring files to remote endpoints.
– **LightSpy**: A versatile malware variant targeting macOS, iOS, and Windows, aimed at strategic communication platform targeting with a focus on stealth.
5. **Operational Details**:
– The deployment of LightSpy on Windows uses an installer to execute shellcode that downloads orchestrator components.
– The orchestrator uses WebSocket and HTTPS protocols for communication and data exfiltration.
6. **Integration of Malware Families**:
– There are indications that DEEPDATA and LightSpy share code and infrastructure, suggesting a link between the two as products of a private development team for governmental operators.
7. **Attribution and Activity**:
– The threat actor is linked to the known Chinese group APT41, and there are speculations about broader links to other Chinese threat groups.
– BrazenBamboo is characterized as a well-resourced entity with extensive operational capabilities and development functions.
8. **Research and Follow-Up**:
– Volexity conducted the investigation and disclosed findings, underscoring the seriousness of the threat.
– Ongoing updates may be provided as further information is acquired from Fortinet and other sources.
### Action Items:
– Monitor for updates on the Fortinet vulnerability patch.
– Stay informed on developments regarding BrazenBamboo and their malware capabilities.
– Consider enhancing security measures for VPN and communication platforms potentially impacted by these threats.