November 18, 2024 at 05:48PM
Chinese hackers “BrazenBamboo” exploit a zero-day vulnerability in Fortinet’s FortiClient VPN using a tool called ‘DeepData’ to extract user credentials. Discovered by Volexity in July 2024, the flaw has not been patched, risking corporate networks. VPN access should be restricted until Fortinet releases a fix.
### Meeting Takeaways
1. **Zero-Day Vulnerability**: Chinese threat actors are exploiting a zero-day vulnerability in Fortinet’s FortiClient Windows VPN client using a custom toolkit named ‘DeepData’ to steal user credentials.
2. **Credential Theft Process**: The vulnerability allows attackers to dump credentials from memory once a user has authenticated with the VPN. The credentials extracted include usernames, passwords, and VPN server information.
3. **Discovery Timeline**: Volexity researchers identified the vulnerability in mid-July 2024 and reported it to Fortinet. Fortinet acknowledged the issue shortly after, but as of the latest report, no fix has been released and no CVE has been assigned.
4. **Threat Actor Profile**: The Chinese hacking group known as “BrazenBamboo” is responsible for these attacks, utilizing advanced malware families for surveillance operations across various platforms.
5. **Malware Utilization**: The attack incorporates multiple types of malware, notably LightSpy (a spyware for data collection and credential theft) and DeepPost (used for data extraction from compromised devices). DeepData acts as a modular post-exploitation tool with a specific plugin targeting FortiClient.
6. **Mechanism of DeepData**: The latest version of DeepData uses a FortiClient plugin that decrypts sensitive JSON objects in FortiClient’s memory to exfiltrate credentials to the attacker’s server.
7. **Historical Context**: The new vulnerability bears similarities to a 2016 flaw that also lacked a CVE, but the 2024 issue is distinct and relates to the failure of FortiClient to clear sensitive data from memory.
8. **Recommendations**: Until Fortinet addresses the vulnerability, it is advised to restrict VPN access and monitor for unusual login activity.
9. **Response Pending**: BleepingComputer has reached out to Fortinet for a comment on the vulnerability and potential upcoming security updates, but a response is still awaited.
10. **Related Security Issues**: Various recent cybersecurity incidents have been noted, including telecom breaches and credential theft via malicious packages and hijacked login pages.
### Action Items
– Monitor for updates from Fortinet regarding the zero-day vulnerability.
– Implement restrictions on VPN access as a precautionary measure.
– Stay vigilant for unusual login activities that may indicate compromised VPN credentials.