Chinese threat actors, "BrazenBamboo," use a custom post-exploitation toolkit named DeepData to exploit a zero-day vulnerability in Fortinet's FortiClient Windows VPN client. This vulnerability allows attackers to dump credentials from memory after a user authenticates with the VPN. DeepData is a modular tool that employs multiple plugins for data theft, and its latest version includes a plugin specifically for extracting credentials and VPN server information from FortiClient by decrypting stored JSON objects in memory.
The attackers then exfiltrate the stolen data to their server using another malware called DeepPost. This exploitation allows BrazenBamboo to gain initial access to corporate networks through compromised VPN accounts, enabling further lateral movement and espionage.
Volexity discovered in mid-July 2024 that DeepData, a custom post-exploitation toolkit, exploits a new zero-day vulnerability in FortiClient's latest version (v7.4.0), which allows attackers to access sensitive information, including usernames, passwords, and VPN details, stored in memory. This vulnerability is similar to a 2016 flaw but is distinct and works only on recent FortiClient releases. The issue arises because FortiClient fails to clear sensitive data from memory, leaving it exposed in JSON objects.
Fortinet currently does not have a fix for this vulnerability. Until Fortinet confirms the vulnerability and releases a patch, Logically recommends restricting VPN access and monitoring for unusual login activity.
Volexity's report details the attackers' use of additional malware such as LightSpy, which is a multi-platform spyware designed for data collection, keylogging, and credential theft. Logically's recommendation to mitigate this threat includes enforcing Multi-Factor Authentication (MFA), using VPN realms for better security, and deploying Enterprise Detection and Response (EDR) solutions to protect endpoints from such malware.
