Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

Nov. 18, 2024, 9:05 p.m.

Description

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a modular post-exploitation tool for Windows, and LIGHTSPY, a multi-platform malware. DEEPDATA includes plugins for stealing credentials, collecting data from chat apps, and recording audio. The threat actor's infrastructure hosts various applications, including an email theft platform and a big data analysis platform for stolen data. Evidence suggests BrazenBamboo may be a private enterprise producing capabilities for governmental operators focused on domestic targets.

External References

https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/
https://otx.alienvault.com/pulse/6738b3b24bc328fd786fdfb1
Tags
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient

Date

  • Created: Nov. 16, 2024, 3:01 p.m.
  • Published: Nov. 16, 2024, 3:01 p.m.
  • Modified: Nov. 18, 2024, 9:05 p.m.

Attack Patterns

  • DeepPost
  • DeepData
  • LightSpy
  • BrazenBamboo

Additional Informations

  • Government
  • Hong Kong