Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked actor’s malware DeepData exploits FortiClient VPN zero-day

Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials. Volexity researchers discovered a vulnerability in Fortinet’s Windows VPN client that China-linked threat actor BrazenBamboo abused in their DEEPDATA malware. BrazenBamboo is known to be the author of other malware families, including LIGHTSPY, DEEPDATA, and DEEPPOST. DEEPDATA is a […]

fortinet FortiBleed

Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials.

Volexity researchers discovered a vulnerability in Fortinet’s Windows VPN client that China-linked threat actor BrazenBamboo abused in their DEEPDATA malware. BrazenBamboo is known to be the author of other malware families, including LIGHTSPY, DEEPDATA, and DEEPPOST.

DEEPDATA is a modular post-exploitation tool for Windows that allows operators to harvest sensitive information from infected systems. DEEPPOST is a post-exploitation data exfiltration tool used to send files to a remote system and LIGHTSPY is a modular spyware.

Experts noticed that due to this vulnerability, user credentials remain in process memory after a user authenticates to the VPN.

Volexity reported the vulnerability to the security vendor in July, however the flaw has yet to be addressed.

“Volexity verified the presence of these JSON objects in memory and confirmed this approach works against the latest version available at the time of discovery (v7.4.0). Notably, the same approach does not work against older versions of the Fortinet VPN client. Volexity reported this vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue on July 24, 2024.” reads the advisory. “At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number.”

Volexity’s report details the DeepData custom malware which is employed in espionage campaigns. The malware exploits the zero-day in Fortinet’s FortiClient to extract VPN credentials and server details from process memory.

DeepData can access and decrypt JSON objects, which contain credentials, in FortiClient’s process memory and exfiltrates them to the attacker’s server using DeepPost.

Once obtained the credentials, threat actors used them for initial network access, lateral movement, and data exfiltration.

Below are the DEEPDATA’s plugins identified by Volexity:

Plugin NamePlugin Capabilities
AccountInfoSteal credentials from 18 different sources on the compromised device.
AppDataCollect data from WeChat, WhatsApp and Signal on the compromised device.
AudioRecord audio on compromised devices.
ChatIndexedDbSteal databases from WhatsApp and Zalo chat clients.
FortiClientExtract credentials and server information from process memory of FortiClient VPN processes.
OutlookCollect contacts and emails from local Microsoft Outlook instances.
SocialSoftSteal data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications.
SoftwareListList installed software, folders, and files recursively from a base location.
SystemInfoGather basic enumeration information from the compromised device.
TdMonitorHook Telegram to retrieve messages from the application.
WebBrowserCollect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers.
WifiListCollect details of stored WiFi keys and nearby hotspots.

The researchers recommend restricting VPN access and monitoring for anomalous login activity, they also released indicators of compromise (IoCs) associated with this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DeepData)