Fortinet VPN Zero-Day Exploited by BrazenBamboo Malware

PureID

Srishti Chaubey

November 26, 2024

Fortinet VPN Zero Day

Introduction

A critical zero-day vulnerability in Fortinet's Windows VPN client, FortiClient, has been exploited by a Chinese-linked threat actor known as BrazenBamboo. This flaw, reported by cybersecurity firm Volexity, remains unpatched, leaving organizations vulnerable to credential theft and espionage. The attackers employ a modular malware framework called DeepData, which specializes in extracting sensitive information from compromised systems.

The Vulnerability: Unresolved and Exploited

The FortiClient zero-day allows credentials, including usernames, passwords, and VPN server details, to persist in process memory after authentication. The DeepData malware exploits this vulnerability using a FortiClient plugin, leveraging the stored JSON objects in memory to exfiltrate data.

Key facts about the vulnerability:

  • Reported by Volexity: On July 18, 2024, and acknowledged by Fortinet on July 24, 2024.
  • Unpatched: No CVE assigned, and no fixes released to date.
  • Targeted Versions: The latest FortiClient versions, including v7.4.0, are affected.
Fortinet VPN zero-day
Credit: Volexity

The DeepData Malware Framework

BrazenBamboo developed a sophisticated post-exploitation tool called DeepData. It is modular, utilizing plugins to target a wide range of sensitive data.

Key Features:

  • Credential Theft: Extracts credentials from FortiClient and 18 other sources.
  • Application Surveillance: Collects data from communication apps like WeChat, WhatsApp, and Signal.
  • Web Browsing Data: Gathers cookies, history, and passwords from major browsers like Chrome and Firefox.
  • System Monitoring: Records audio, captures screenshots, and tracks installed software.

DeepData also integrates with another BrazenBamboo tool, DeepPost, to exfiltrate stolen data to command-and-control (C2) servers.

BrazenBamboo: A Persistent Threat

Volexity attributes DeepData's development to BrazenBamboo, a Chinese state-sponsored group also linked to LightSpy and DeepPost malware. These tools have been used in campaigns targeting Southeast Asian journalists, activists, and politicians.

Notable Traits:

  • Multi-Platform Capability: Operates on Windows, macOS, iOS, and Android.
  • Infrastructure Overlap: Shared C2 servers and coding styles with other malware families.
  • Operational Longevity: Continues to evolve despite public exposure.

Mitigation Recommendations

Organizations should implement the following measures while waiting for a patch:

  • Restrict VPN Access: Limit access to trusted users and monitor login activity.
  • Detect Malicious Activity: Use available rules and indicators of compromise (IOCs) to identify threats.
  • Enhance System Security: Regularly audit memory for sensitive information and improve credential management practices.

Conclusion

The ongoing exploitation of Fortinet’s VPN client zero-day by BrazenBamboo underscores the urgency of addressing vulnerabilities promptly. 

Proactive measures and modern solutions are the keys to staying resilient in an evolving cybersecurity landscape. It's time for organizations to transition to secure-by-design platforms instead of relying on password and credential-based authentication. If something can be stolen, it will be. Using solutions like PureAuth for passwordless authentication and access management ensures your organization is safe and your data is secure by design and default. By eliminating passwords—a common attack vector—you can significantly enhance your security posture and stay ahead of sophisticated threats like BrazenBamboo. #gopasswordless

Read Also

Fortinet Leaked Credentials to fuel more Breaches!

Fortinet Data Breach: Insights and Implications for Cloud Security

Cisco VPNs Suffer Brute Force Attacks: Here's your Shield!

Share this article    

Connect with Us!

Subscribe to receive new blog post from PureID in your mail box