Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Nov. 19, 2024, 3:04 p.m.

Description

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN server information from the process memory. Volexity researchers discovered the flaw in July 2024 and reported it to Fortinet, but it remains unresolved. The vulnerability allows attackers to dump credentials from memory after user authentication. BrazenBamboo is known for deploying advanced malware targeting multiple platforms in surveillance operations. By compromising VPN accounts, they can gain initial access to corporate networks and expand espionage campaigns.

External References

https://www.bleepingcomputer.com/news/security/chinese-hackers-exploit-fortinet-vpn-zero-day-to-steal-credentials/
https://otx.alienvault.com/pulse/673bd07763d46cedcc72f43d
Tags
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient

Date

  • Created: Nov. 18, 2024, 11:40 p.m.
  • Published: Nov. 18, 2024, 11:40 p.m.
  • Modified: Nov. 19, 2024, 3:04 p.m.

Attack Patterns

  • DeepPost
  • DeepData
  • LightSpy
  • BrazenBamboo
  • T1528
  • T1110
  • T1213
  • T1552
  • T1555
  • T1219
  • T1056
  • T1133
  • T1078
  • T1003

Additional Informations

  • China