Fortinet VPN Zero-Day Exploited by BrazenBamboo Malware

Introduction

A critical zero-day vulnerability in Fortinet’s Windows VPN client, FortiClient, has been exploited by a Chinese-linked threat actor known as BrazenBamboo. This flaw, reported by cybersecurity firm Volexity, remains unpatched, leaving organizations vulnerable to credential theft and espionage. The attackers employ a modular malware framework called DeepData, which specializes in extracting sensitive information from compromised systems.

The Vulnerability: Unresolved and Exploited

The FortiClient zero-day allows credentials, including usernames, passwords, and VPN server details, to persist in process memory after authentication. The DeepData malware exploits this vulnerability using a FortiClient plugin, leveraging the stored JSON objects in memory to exfiltrate data.

Key facts about the vulnerability:

  • Reported by Volexity: On July 18, 2024, and acknowledged by Fortinet on July 24, 2024.
  • Unpatched: No CVE assigned, and no fixes released to date.
  • Targeted Versions: The latest FortiClient versions, including v7.4.0, are affected.
Fortinet VPN zero-day
Credit: Volexity

The DeepData Malware Framework

BrazenBamboo developed a sophisticated post-exploitation tool called DeepData. It is modular, utilizing plugins to target a wide range of sensitive data.

Key Features:

  • Credential Theft: Extracts credentials from FortiClient and 18 other sources.
  • Application Surveillance: Collects data from communication apps like WeChat, WhatsApp, and Signal.
  • Web Browsing Data: Gathers cookies, history, and passwords from major browsers like Chrome and Firefox.
  • System Monitoring: Records audio, captures screenshots, and tracks installed software.

DeepData also integrates with another BrazenBamboo tool, DeepPost, to exfiltrate stolen data to command-and-control (C2) servers.

BrazenBamboo: A Persistent Threat

Volexity attributes DeepData’s development to BrazenBamboo, a Chinese state-sponsored group also linked to LightSpy and DeepPost malware. These tools have been used in campaigns targeting Southeast Asian journalists, activists, and politicians.

Notable Traits:

  • Multi-Platform Capability: Operates on Windows, macOS, iOS, and Android.
  • Infrastructure Overlap: Shared C2 servers and coding styles with other malware families.
  • Operational Longevity: Continues to evolve despite public exposure.

Mitigation Recommendations

Organizations should implement the following measures while waiting for a patch:

  • Restrict VPN Access: Limit access to trusted users and monitor login activity.
  • Detect Malicious Activity: Use available rules and indicators of compromise (IOCs) to identify threats.
  • Enhance System Security: Regularly audit memory for sensitive information and improve credential management practices.

Conclusion

The ongoing exploitation of Fortinet’s VPN client zero-day by BrazenBamboo underscores the urgency of addressing vulnerabilities promptly. 

Proactive measures and modern solutions are the keys to staying resilient in an evolving cybersecurity landscape. It’s time for organizations to transition to secure-by-design platforms instead of relying on password and credential-based authentication. If something can be stolen, it will be. Using solutions like PureAuth for passwordless authentication and access management ensures your organization is safe and your data is secure by design and default. By eliminating passwords—a common attack vector—you can significantly enhance your security posture and stay ahead of sophisticated threats like BrazenBamboo. #gopasswordless

Read Also

Fortinet Leaked Credentials to fuel more Breaches!

Fortinet Data Breach: Insights and Implications for Cloud Security

Cisco VPNs Suffer Brute Force Attacks: Here’s your Shield!

Mother of all breaches: Which you could have avoided !!

Introduction

Don’t use passwords they said. It can be breached they said. Well, surprise, surprise, we didn’t pay much attention. Now, here we are, nervously checking our email IDs against the colossal 26 billion-record breach – the mother of all breaches!

Breach Unveiled: A Symphony of Chaos

So, there’s this massive breach, Mother of All Breaches (MOAB), a digital pandemonium that has exposed a whopping 26 billion records. It’s like a digital opera – records from MySpace to Adobe, starring Tencent, Weibo, Twitter, and LinkedIn. Your data just had its grand debut!

The Dramatic Unfolding

Picture this: MOAB is a blockbuster compilation of data breaches, meticulously curated. It’s like a Hollywood blockbuster, but your credentials are the star, and not in a good way. Your once-secure passwords are now part of a hacker’s treasure trove. Slow clap for the password drama.

Passwords – The Ultimate Blunder

If  Ellen DeGeneres hosted this show, she’d say, “You had one job – say no to passwords!” See the aftermath? Identity theft, phishing attacks, and a surge in password-stuffing shenanigans. All thanks to those outdated, reused, and easy-to-crack passwords.

Passwordless Paradise: Where Dreams Come True

Now, imagine an alternate universe where you actually listened – where passwordless authentication is the superhero. No MOAB nightmares, just smooth, secure logins without the hassle of juggling countless passwords. A utopia, right?

Mitigation Party: Reclaim Your Digital Kingdom

Inspect Your Vulnerability: Employ tools such as “Have I Been Pwned” and data leak checker. data leak checker. Use “Privacy Hawk” to trace your data’s path and request removal from unwanted websites. Move swiftly: Purge your digital footprint by eliminating your data from irrelevant websites.

Conclusion: Lessons Learned (Hopefully)

In an ideal world, you’d have embraced passwordless authentication, and we’d all be sipping digital margaritas by now. But, alas, here we are – dealing with the aftermath. Take this as a digital wake-up call: passwords belong to the past, let’s march into a passwordless future.

A Final Plea: Break Free from Passwords

Passwords are so yesterday!! The revolution is calling – will you answer? Join the passwordless parade; your digital sanity will thank you later. Use PureId, Stay Safe.

Android FluBot Malware – spreading rapidly across Europe, might target the US!

FluBot is a banking malware that is specifically attacking Android phones and stealing bank details and passwords from your device. Like Covid-19, this malware has spread across a wide range of English speaking countries rapidly causing some irreparable damage. 

FluBot uses “smishing” – phishing using SMS and text messages. These attacks have seen a huge rise in the recent past. 

The Impact of the Attack 

Originated in Spain, then spread to Germany, Hungary, Italy, Poland and UK,  the malware is believed to have made over 7,000 victims in the UK alone, where the campaign operators were using more than 700 unique domains for the distribution of FluBot. 

Proofpoint says that U.S. users have already started receiving German and English-language phishing SMS messages, suggesting that the threat actor is getting ready to expand to this country. The pattern is similar to how the attacks started in the UK, where users first received German messages and then English ones.

Infection Stages

Smishing 

Here, an SMS with a malicious link is sent to the user disguising as famous delivery service organisations such as DHL & FedEx, on an hourly basis.

The malware requires user interaction to get access to the Android device. 

Reference:  https://tinyurl.com/2vctczzy

On clicking the link you’re redirected to a fake website, where you have to download an APK. 

Permission Acquisition

During the installation of this fake app, a misleading prompt appears asking for full access to SMS and networking, address book including device management.

The Attack

The malware after acquiring complete permissions carries out the malicious activity which includes and is not limited to

  1. Reading and forwarding sensitive SMS/OTPs
  2. Screen overlays on net banking apps to capture the passwords entered by the user
  3. Intercepting incoming messages and notifications, 
  4. Opening webpages.
  5. Disabling Google Play Protect. 
  6. It also can uninstall other applications. 
  7. It will also access contact details and send out additional text messages, spreading the spyware further.
Reference: https://tinyurl.com/2vctczzy

Protection & Precaution 

The National Cyber Security Centre (NCSC) warns users about this malware and its methodology, where you are obligated to download a tracking app because of a missed package.  It recommends Android users to practice following precautions 

  1. Do not click on links in unsolicited messages.
  2. Do not download APK from any website, other than Google Play Store.
  3. Do not give unnecessary permissions while installing an APK downloaded from a reliable source.
  4. Scan your Android device frequently with a legitimate anti-malware application.
  5. Never store passwords or banking information locally on your Android device.
  6. If you have used a phone for internet banking, double-check your account with the bank and report any fraudulent activity immediately.

As long as systems are using passwords, adversaries will find various ways and tools to steal them. We highly recommend that enterprises adopt passwordless authentication for critical services.

References:

https://www.ncsc.gov.uk/guidance/flubot-guidance-for-text-message-scam

https://blog.f-secure.com/flubot-android-malware/

https://www.91mobiles.com/hub/flubot-malware-android-phone-steals-netbanking-passwords/