Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials. Volexity researchers discovered a vulnerability in Fortinet’s Windows VPN client that China-linked threat actor BrazenBamboo abused in their DEEPDATA malware. BrazenBamboo is known to be the author of other malware families, including LIGHTSPY, DEEPDATA, and DEEPPOST. DEEPDATA is a […] Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials. Volexity researchers discovered a vulnerability in Fortinet’s Windows VPN client that China-linked threat actor BrazenBamboo abused in their DEEPDATA malware. BrazenBamboo is known to be the author of other malware families, including LIGHTSPY, DEEPDATA, and DEEPPOST. DEEPDATA is a modular post-exploitation tool for Windows that allows operators to harvest sensitive information from infected systems. DEEPPOST is a post-exploitation data exfiltration tool used to send files to a remote system and LIGHTSPY is a modular spyware. Experts noticed that due to this vulnerability, user credentials remain in process memory after a user authenticates to the VPN. Volexity reported the vulnerability to the security vendor in July, however the flaw has yet to be addressed. “Volexity verified the presence of these JSON objects in memory and confirmed this approach works against the latest version available at the time of discovery (v7.4.0). Notably, the same approach does not work against older versions of the Fortinet VPN client. Volexity reported this vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue on July 24, 2024.” reads the advisory. “At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number.” Volexity’s report details the DeepData custom malware which is employed in espionage campaigns. The malware exploits the zero-day in Fortinet’s FortiClient to extract VPN credentials and server details from process memory. DeepData can access and decrypt JSON objects, which contain credentials, in FortiClient’s process memory and exfiltrates them to the attacker’s server using DeepPost. Once obtained the credentials, threat actors used them for initial network access, lateral movement, and data exfiltration. Below are the DEEPDATA’s plugins identified by Volexity: Plugin NamePlugin CapabilitiesAccountInfoSteal credentials from 18 different sources on the compromised device.AppDataCollect data from WeChat, WhatsApp and Signal on the compromised device.AudioRecord audio on compromised devices.ChatIndexedDbSteal databases from WhatsApp and Zalo chat clients.FortiClientExtract credentials and server information from process memory of FortiClient VPN processes.OutlookCollect contacts and emails from local Microsoft Outlook instances.SocialSoftSteal data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications.SoftwareListList installed software, folders, and files recursively from a base location.SystemInfoGather basic enumeration information from the compromised device.TdMonitorHook Telegram to retrieve messages from the application.WebBrowserCollect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers.WifiListCollect details of stored WiFi keys and nearby hotspots. The researchers recommend restricting VPN access and monitoring for anomalous login activity, they also released indicators of compromise (IoCs) associated with this campaign. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, DeepData)
Published: 2024-11-19T15:05:27