Fortinet VPN Zero-Day Exploited by BrazenBamboo Malware

Introduction

A critical zero-day vulnerability in Fortinet’s Windows VPN client, FortiClient, has been exploited by a Chinese-linked threat actor known as BrazenBamboo. This flaw, reported by cybersecurity firm Volexity, remains unpatched, leaving organizations vulnerable to credential theft and espionage. The attackers employ a modular malware framework called DeepData, which specializes in extracting sensitive information from compromised systems.

The Vulnerability: Unresolved and Exploited

The FortiClient zero-day allows credentials, including usernames, passwords, and VPN server details, to persist in process memory after authentication. The DeepData malware exploits this vulnerability using a FortiClient plugin, leveraging the stored JSON objects in memory to exfiltrate data.

Key facts about the vulnerability:

  • Reported by Volexity: On July 18, 2024, and acknowledged by Fortinet on July 24, 2024.
  • Unpatched: No CVE assigned, and no fixes released to date.
  • Targeted Versions: The latest FortiClient versions, including v7.4.0, are affected.
Fortinet VPN zero-day
Credit: Volexity

The DeepData Malware Framework

BrazenBamboo developed a sophisticated post-exploitation tool called DeepData. It is modular, utilizing plugins to target a wide range of sensitive data.

Key Features:

  • Credential Theft: Extracts credentials from FortiClient and 18 other sources.
  • Application Surveillance: Collects data from communication apps like WeChat, WhatsApp, and Signal.
  • Web Browsing Data: Gathers cookies, history, and passwords from major browsers like Chrome and Firefox.
  • System Monitoring: Records audio, captures screenshots, and tracks installed software.

DeepData also integrates with another BrazenBamboo tool, DeepPost, to exfiltrate stolen data to command-and-control (C2) servers.

BrazenBamboo: A Persistent Threat

Volexity attributes DeepData’s development to BrazenBamboo, a Chinese state-sponsored group also linked to LightSpy and DeepPost malware. These tools have been used in campaigns targeting Southeast Asian journalists, activists, and politicians.

Notable Traits:

  • Multi-Platform Capability: Operates on Windows, macOS, iOS, and Android.
  • Infrastructure Overlap: Shared C2 servers and coding styles with other malware families.
  • Operational Longevity: Continues to evolve despite public exposure.

Mitigation Recommendations

Organizations should implement the following measures while waiting for a patch:

  • Restrict VPN Access: Limit access to trusted users and monitor login activity.
  • Detect Malicious Activity: Use available rules and indicators of compromise (IOCs) to identify threats.
  • Enhance System Security: Regularly audit memory for sensitive information and improve credential management practices.

Conclusion

The ongoing exploitation of Fortinet’s VPN client zero-day by BrazenBamboo underscores the urgency of addressing vulnerabilities promptly. 

Proactive measures and modern solutions are the keys to staying resilient in an evolving cybersecurity landscape. It’s time for organizations to transition to secure-by-design platforms instead of relying on password and credential-based authentication. If something can be stolen, it will be. Using solutions like PureAuth for passwordless authentication and access management ensures your organization is safe and your data is secure by design and default. By eliminating passwords—a common attack vector—you can significantly enhance your security posture and stay ahead of sophisticated threats like BrazenBamboo. #gopasswordless

Read Also

Fortinet Leaked Credentials to fuel more Breaches!

Fortinet Data Breach: Insights and Implications for Cloud Security

Cisco VPNs Suffer Brute Force Attacks: Here’s your Shield!

Fortinet Data Breach: Insights and Implications for Cloud Security

Introduction

Fortinet recently experienced a data breach with 440GB of stolen files. This incident underscores the critical importance of securing data in third-party cloud environments. In this blog, we dive into the details of the Fortinet breach, its implications, and why moving towards passwordless authentication is an essential step for enhancing security.

The Fortinet Breach: A Detailed Overview

Fortinet, renowned for its comprehensive cybersecurity solutions, has confirmed a significant data breach. The hacker, using the name “Fortibitch,” claimed to have exploited an Azure SharePoint vulnerability to steal 440GB of data in this breach, dubbed “Fortileak“.

Fortinet data breach: Fortibitch
Credit: Hackread.com

How the Breach Happened

According to reports, the breach involved unauthorised access to Fortinet’s Azure SharePoint instance. The hacker provided credentials to an Amazon S3 bucket where the stolen data was allegedly stored. The leaked data included customer information and various corporate documents.

Fortinet confirmed the breach involved less than 0.3% of its customer base, affecting a limited number of files. The company assured stakeholders that there was no evidence of malicious activity affecting its operations or services. No ransomware was deployed, and Fortinet’s corporate network remained secure.

The Response from Fortinet

Fortinet acted swiftly to mitigate the impact of the breach. The company engaged in immediate containment measures, including terminating the unauthorised access and notifying affected customers. They also worked with law enforcement and cybersecurity agencies to address the situation.

In their update, Fortinet emphasised that the breach did not involve data encryption or ransomware. The company’s operations and financial performance remain unaffected, with no significant impact reported.

Key Takeaways and Security Lessons

This incident highlights several critical lessons for organisations:

1. Secure Cloud Environments

The Fortinet breach underscores the need for robust security measures around cloud-based environments. Companies must properly configure their cloud storage solutions and actively protect them against unauthorized access.

2. Implement Strong Access Controls

Using multi factor authentication (MFA) is minimum, but given the MFA are also getting bypassed, more secure authentication like PureAUTH is highly recommended

3. Continuous Monitoring and Response

Proactive monitoring of cloud assets and rapid response to security incidents are essential for minimising the impact of breaches. Organisations should have incident response plans in place to handle such situations effectively.

Embracing Passwordless Authentication for Enhanced Security

As demonstrated by the Fortinet breach, traditional security measures, including passwords and MFA, are increasingly inadequate. The shift towards passwordless authentication offers a more secure and resilient alternative.

Passwordless authentication solutions like PureAuth provide a breach-resilient architecture by leveraging advanced cryptography and just-in-time access. This approach significantly reduces the risk of third-party breaches and enhances overall security. Key benefits include:

  • Breach Resilience: PureAuth’s architecture is designed to withstand breaches by eliminating the reliance on passwords and minimising attack vectors.
  • Flexible Security Measures: We work with you to design fallback and recovery mechanisms, ensuring uninterrupted access to enterprise resources.
  • Ongoing Support: Comprehensive breach support is available to address any issues that arise.
Fortinet data breach: Embracing passwordless authentication

Transitioning to passwordless authentication is no longer just a best practice but a necessity for enterprises aiming to protect critical assets. Passwords and traditional 2FA/MFA methods are becoming increasingly inefficient and insecure. Adopting a passwordless approach enhances security, simplifies access management, and aligns perfectly with modern cybersecurity needs.

Conclusion

The Fortinet data breach serves as a stark reminder of the evolving threats in the cybersecurity landscape. While Fortinet’s response has been commendable, organisations must take proactive steps to safeguard their data, especially in cloud environments. Moving towards passwordless authentication solutions like PureAuth offers a forward-thinking approach to security, addressing the limitations of traditional methods and providing a more resilient defence against breaches.

For enterprises looking to enhance their security posture, embracing passwordless authentication is not an option—it is a necessity. Ensure your organisation is equipped to handle the future of cybersecurity with advanced, breach-resilient solutions. #gopasswordless