Fortinet FortiClient Vulnerability Exploited by DEEPDATA Malware to Steal VPN Credentials
2024-11-17
Need some ammo against Fortinet? Discover how unpatched vulnerabilities in FortiClient lead to major security risks and learn about the importance of proactive patch management.
A vulnerability in Fortinet's FortiClient for Windows is being exploited by the threat actor BrazenBamboo through a malware framework called DEEPDATA to steal VPN credentials. Discovered by Volexity in July 2024, DEEPDATA is a post-exploitation tool targeting Windows to gather various sensitive data, including application passwords and communication app data. It includes a DLL loader to decrypt and launch plugins, one of which exploits the FortiClient flaw to extract VPN credentials. Despite being reported, the flaw remains unpatched. DEEPDATA, along with DEEPPOST and LightSpy, enhance BrazenBamboo's cyber espionage capabilities. LightSpy, linked to China-linked APT41, shares code similarities with DEEPDATA, hinting at a coordinated development effort, possibly by government-associated entities.
Zero-Day, Sensitive Data, Patch Management, Malware
Fortinet, FortiClient, DEEPDATA, VPN Credentials, BrazenBamboo, Zero-Day, APT41, Malware
N/A
Fortinet, FortiClient, Windows, WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass
A critical security flaw in Fortinet's FortiClient for Windows is being actively exploited by a cybercriminal group known as BrazenBamboo. This group is using a sophisticated malware framework called DEEPDATA to extract VPN credentials from users, raising serious cybersecurity concerns. The vulnerability, which remains unpatched, was discovered in July 2024 by cybersecurity firm Volexity. The flaw allows attackers to exploit FortiClient, a popular VPN client for Windows, to access sensitive credential information directly from the application's memory. BrazenBamboo, the group behind this exploit, is also known for developing other malicious tools like DEEPPOST and LightSpy, enhancing their cyber espionage capabilities. DEEPDATA is a modular tool designed for post-exploitation on Windows systems. Its primary function is to gather a wide array of sensitive data from infected devices. At its core, DEEPDATA uses a dynamic-link library (DLL) loader named "data.dll" to decrypt and launch various plugins. One of these plugins, specifically targeting FortiClient, exploits the zero-day vulnerability to extract VPN credentials. Beyond FortiClient, DEEPDATA is capable of collecting data from a range of communication and productivity applications, including WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, and KeePass. This broad reach highlights the malware's potential impact on both personal and enterprise environments. The DEEPDATA framework shares significant code and infrastructure similarities with LightSpy, another malware attributed to the China-linked APT41 group. LightSpy is known for targeting multiple operating systems, including macOS, iOS, and Windows, and uses advanced techniques for data exfiltration via WebSocket and HTTPS. Volexity reported the FortiClient vulnerability to Fortinet on July 18, 2024, but as of the article's publication date, the issue remains unresolved. This ongoing exposure underscores the importance of maintaining up-to-date security measures and highlights the risk posed by unpatched software. In summary, the exploitation of Fortinet's FortiClient by the DEEPDATA malware underscores the critical need for robust patch management and proactive cybersecurity strategies to defend against evolving threats.DEEPDATA Malware Exploits Fortinet Flaw to Steal VPN Credentials
Discovery and Background
How DEEPDATA Works
Broader Implications
Connections to Other Malware
Reporting and Current Status
https://thehackernews.com/2024/11/warning-deepdata-malware-exploiting.html?m=1