Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
Nov. 18, 2024, 9:05 p.m.
Tags
External References
Description
A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a modular post-exploitation tool for Windows, and LIGHTSPY, a multi-platform malware. DEEPDATA includes plugins for stealing credentials, collecting data from chat apps, and recording audio. The threat actor's infrastructure hosts various applications, including an email theft platform and a big data analysis platform for stolen data. Evidence suggests BrazenBamboo may be a private enterprise producing capabilities for governmental operators focused on domestic targets.
Date
Published: Nov. 16, 2024, 3:01 p.m.
Created: Nov. 16, 2024, 3:01 p.m.
Modified: Nov. 18, 2024, 9:05 p.m.
Attack Patterns
DeepPost
DeepData
LightSpy
BrazenBamboo
T1552.002
T1552.001
T1555.003
T1059.003
T1114
T1056.001
T1555
T1113
T1123
T1005
T1082
T1083
Additional Informations
Government
Hong Kong