BrazenBamboo, a Chinese threat actor, allegedly exploited Fortinet's FortiClient VPN client vulnerabilities to extract VPN credentials using a modular framework called DeepData.
Fortinet an American cyber security company that develops and sells security solutions such as firewalls, endpoint security and intrusion detection systems was subjected to the recent hacking.
In a technical report released last week, Volexity, a Washington D.C.-based security firm stated that it identified identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s WindowsVPN client. This allowed credentials to be stolen from the memory of the client’s process.
“Volexity discovered and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN,” Callum Roxan, Charlie Gardner, Paul Rascagneres from Volexity stated.
The vulnerability was spotted when Volexity was analysing a recent sample of the DeepData malware family. The security firm found the vulnerability a few months ago in July this year and reported it to Fortinet.
The hacker seemed to have developed a specialised plugin which extracted the VPN credentials from the relatively unfortified FortiClient VPN client process memory.
Read: Hackers Target Black Friday with Phishing Sites, Steal Credit Cards
Data Theft Linked to Chinese Cyber-Espionage Group
In April 2024, BlackBerry also spotted the vulnerability in FortiClient’s LightSpy malware campaign.
In an aim to carry out advanced data theft, the threat actor behind LightSpy allegedly associated with APT41, a Chinese cyber-espionage group expanded their hacking capabilities to DeepData.
In the case of DeepData, BrazenBamboo is also linked to a Chinese state-affiliated threat actor.
According to BleepingComputer, BrazenBamboo is known for developing and deploying advanced malware families targeting Windows, macOS, iOS, and Android systems in surveillance operations.
Volexity's report suggests that this group is also responsible for other malicious activities, including those associated with the LightSpy and DeepPost malware families
“Volexity tracks BrazenBamboo as the developer of these malware families and not necessarily one of the operators using them (there may be many),” said Roxan, Gardner and Rascagneres.
“Volexity has also identified a new Windows variant of LightSpy that was not previously documented at the time of writing,” they added.
The threat actors used DeepData as a custom post-exploitation toolkit to exploit FortiClient’s vulnerability.
They gained unauthorised access to a corporate network similar to LightSpy and DeepPost allowing them to carry out espionage activities and other malicious activities.
The attackers aim to gain unauthorised access to corporate networks for espionage and other malicious activities by accessing sensitive information like usernames, passwords, and VPN server details from the victim’s memory.
Fortinet is yet to confirm the flaw in the system that led the threat actors to exploit and capitalise on their system’s vulnerability.
What is DeepData?
DeepData is a versatile post-exploitation tool designed to extract sensitive information from a compromised Windows operating system. Usually, the system deals with a huge amount of data of various kinds including passwords, system details, and user activity logs.
This custom exploitation tool has been developed by Chinese threat actors linked to BrazenBamboo, a Chinese state-sponsored espionage group according to reports.
DeepData comprises several plugins specially designed for data theft tasks. Since the modular approach equips hackers with the capability to customise the exploitation toolkit, the hacking and data theft can go unnoticed for long periods of time.
To protect against DeepData and similar threats, organisations should prioritise regular software updates, implement top network security measures, educate employees on cyber security best practices, and maintain a well-defined incident response plan.
