Category: Zero Day

DeepSeek’s Database Breach: A Wake-Up Call for AI Security

Posted on by Srishti Chaubey

DeepSeek, a rising Chinese AI startup, has garnered global attention for its innovative AI models, particularly the DeepSeek-R1 reasoning model. Praised for its cost-effectiveness and strong performance, DeepSeek-R1 competes with industry leaders like OpenAI’s o1. However, as its prominence grew, so did scrutiny from security researchers. Their investigations uncovered a critical vulnerability—DeepSeek’s database leaked sensitive information, including plaintext chat histories and API keys.

What Happened?

Security researchers at Wiz discovered two unsecured ClickHouse database instances within DeepSeek’s infrastructure. These databases left exposed via open ports with no authentication, contained:

  • Over one million plaintext chat logs.
  • API keys and backend operational details.
  • Internal metadata and user queries.

This misconfiguration created a significant security risk, potentially allowing unauthorized access to sensitive data, privilege escalation, and data exfiltration.

How It Was Found

Wiz’s routine scanning of DeepSeek’s external infrastructure led to the detection of open ports (8123 and 9000) linked to the ClickHouse database. Simple SQL queries revealed a trove of sensitive data, including user interactions and operational metadata.

While Wiz promptly disclosed the issue and DeepSeek swiftly secured the database, the key concern remains—was this vulnerability exploited before the fix?

The Bigger Picture

This breach highlights the urgent need for AI companies to prioritize security alongside innovation. As AI-powered tools like DeepSeek’s R1 model become integral to businesses, safeguarding user data must be a top priority.

Wiz researchers emphasized a growing industry-wide problem: AI startups often rush to market without implementing proper security frameworks. This oversight exposes sensitive user data and operational secrets, making them prime targets for cyberattacks.

Key Takeaways for the Industry

The DeepSeek breach serves as a critical lesson for AI developers and businesses:

  • Security First: Treat AI infrastructure with the same rigor as public cloud environments, enforcing strict access controls and authentication measures.
  • Proactive Defense: Regular security audits and monitoring should be standard practice to detect and prevent vulnerabilities.
  • Collaboration is Key: AI developers and security teams must work together to secure sensitive data and prevent breaches.

Earlier, DeepSeek reported detecting and stopping a “large-scale cyberattack,” underscoring the importance of robust cybersecurity measures. The rapid advancement of AI brings immense opportunities but also exposes critical security gaps. The DeepSeek breach is a stark reminder that failing to implement basic security protocols puts sensitive data—and user trust—at risk.

Also Read

Cisco Data Breach: A Timeline of Events and Broader Implications

LDAP Nightmare: A Critical Flaw Shakes Enterprise Networks

Fortinet VPN Zero-Day Exploited by BrazenBamboo Malware

Posted on by Srishti Chaubey

Introduction

A critical zero-day vulnerability in Fortinet’s Windows VPN client, FortiClient, has been exploited by a Chinese-linked threat actor known as BrazenBamboo. This flaw, reported by cybersecurity firm Volexity, remains unpatched, leaving organizations vulnerable to credential theft and espionage. The attackers employ a modular malware framework called DeepData, which specializes in extracting sensitive information from compromised systems.

The Vulnerability: Unresolved and Exploited

The FortiClient zero-day allows credentials, including usernames, passwords, and VPN server details, to persist in process memory after authentication. The DeepData malware exploits this vulnerability using a FortiClient plugin, leveraging the stored JSON objects in memory to exfiltrate data.

Key facts about the vulnerability:

  • Reported by Volexity: On July 18, 2024, and acknowledged by Fortinet on July 24, 2024.
  • Unpatched: No CVE assigned, and no fixes released to date.
  • Targeted Versions: The latest FortiClient versions, including v7.4.0, are affected.
Fortinet VPN zero-day
Credit: Volexity

The DeepData Malware Framework

BrazenBamboo developed a sophisticated post-exploitation tool called DeepData. It is modular, utilizing plugins to target a wide range of sensitive data.

Key Features:

  • Credential Theft: Extracts credentials from FortiClient and 18 other sources.
  • Application Surveillance: Collects data from communication apps like WeChat, WhatsApp, and Signal.
  • Web Browsing Data: Gathers cookies, history, and passwords from major browsers like Chrome and Firefox.
  • System Monitoring: Records audio, captures screenshots, and tracks installed software.

DeepData also integrates with another BrazenBamboo tool, DeepPost, to exfiltrate stolen data to command-and-control (C2) servers.

BrazenBamboo: A Persistent Threat

Volexity attributes DeepData’s development to BrazenBamboo, a Chinese state-sponsored group also linked to LightSpy and DeepPost malware. These tools have been used in campaigns targeting Southeast Asian journalists, activists, and politicians.

Notable Traits:

  • Multi-Platform Capability: Operates on Windows, macOS, iOS, and Android.
  • Infrastructure Overlap: Shared C2 servers and coding styles with other malware families.
  • Operational Longevity: Continues to evolve despite public exposure.

Mitigation Recommendations

Organizations should implement the following measures while waiting for a patch:

  • Restrict VPN Access: Limit access to trusted users and monitor login activity.
  • Detect Malicious Activity: Use available rules and indicators of compromise (IOCs) to identify threats.
  • Enhance System Security: Regularly audit memory for sensitive information and improve credential management practices.

Conclusion

The ongoing exploitation of Fortinet’s VPN client zero-day by BrazenBamboo underscores the urgency of addressing vulnerabilities promptly. 

Proactive measures and modern solutions are the keys to staying resilient in an evolving cybersecurity landscape. It’s time for organizations to transition to secure-by-design platforms instead of relying on password and credential-based authentication. If something can be stolen, it will be. Using solutions like PureAuth for passwordless authentication and access management ensures your organization is safe and your data is secure by design and default. By eliminating passwords—a common attack vector—you can significantly enhance your security posture and stay ahead of sophisticated threats like BrazenBamboo. #gopasswordless

Read Also

Fortinet Leaked Credentials to fuel more Breaches!

Fortinet Data Breach: Insights and Implications for Cloud Security

Cisco VPNs Suffer Brute Force Attacks: Here’s your Shield!

© 2025 | PureID. All Rights Reserved

Privacy & Terms | Licenses