November 19, 2024 at 06:11PM
Chinese government-affiliated hackers are exploiting a zero-day vulnerability in Fortinet’s Windows VPN client to steal sensitive information, including credentials. Volexity identified the issue and reported it to Fortinet, which has yet to release a fix. The attackers use a tool called DeepData, capable of extensive data theft.
### Meeting Takeaways
1. **Zero-Day Vulnerability Identified**:
– A zero-day bug in Fortinet’s Windows VPN client is being exploited by Chinese government-linked attackers, specifically a group tracked as “BrazenBamboo.”
– The vulnerability allows for the extraction of credentials and sensitive data.
2. **Timeline of Events**:
– Volexity reported the vulnerability to Fortinet on July 18; the issue was acknowledged by Fortinet on July 24.
– As of November 15, no resolution or CVE number has been assigned to the vulnerability.
3. **Exploitation Details**:
– The attacker group BrazenBamboo has created a post-exploit tool called “DeepData,” with at least 12 unique plugins for various forms of criminal activity.
– The FortiClient plugin enables credential theft from the memory of the FortiClient VPN processes.
4. **Malware Capabilities**:
– DeepData can steal credentials from various applications, record audio, and collect personal data from messaging and email apps.
– Other plugins within DeepData target data from widely used web browsers, collecting cookies, passwords, and browsing history.
5. **Underlying Issue**:
– The vulnerability stems from Fortinet’s failure to clear sensitive data from memory after user authentication, impacting recent versions of the VPN client (including v7.4.0).
6. **Additional Malware Development**:
– BrazenBamboo has also created DeepPost for file theft and is believed to have developed a new version of the LightSpy malware family for Windows.
– The enhancements in LightSpy include capabilities for keystroke logging, audio/video recording, and remote access for the attackers.
7. **Recommendations**:
– Until Fortinet issues a patch, organizations are advised to implement detection rules and block indicators of compromise (IOCs) related to the identified threats.
### Action Items
– Monitor for updates from Fortinet regarding a fix.
– Implement detection measures for the identified IOCs to mitigate potential threats.
– Stay informed about developments related to BrazenBamboo and related malware activities.