Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Tags

External References

• https://www.bleepingcomputer.com/
• https://otx.alienvault.com/

Description

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN server information from the process memory. Volexity researchers discovered the flaw in July 2024 and reported it to Fortinet, but it remains unresolved. The vulnerability allows attackers to dump credentials from memory after user authentication. BrazenBamboo is known for deploying advanced malware targeting multiple platforms in surveillance operations. By compromising VPN accounts, they can gain initial access to corporate networks and expand espionage campaigns.

Date