Threat Research

BrazenBamboo Exploits FortiClient Vulnerability to Capture VPN Credentials Using DEEPDATA

Securonix

Summary:

Volexity has identified a serious vulnerability in Fortinet’s FortiClient VPN client, which allows user credentials to be extracted from memory. This vulnerability has been exploited by the threat actor BrazenBamboo in their DEEPDATA malware, which is part of a broader suite of malware including LIGHTSPY. The analysis reveals extensive capabilities for data exfiltration and credential theft across multiple operating systems.

Keypoints:

  • Volexity discovered a vulnerability in Fortinet’s FortiClient VPN client that exposes user credentials.
  • The vulnerability was exploited by the BrazenBamboo threat actor in their DEEPDATA malware.
  • DEEPDATA is a modular post-exploitation tool for Windows that collects sensitive information.
  • Volexity identified a new Windows variant of the LIGHTSPY malware family.
  • DEEPDATA includes various plugins for data exfiltration, including one specifically targeting FortiClient.
  • Volexity reported the vulnerability to Fortinet, which acknowledged the issue but has not yet resolved it.
  • Both DEEPDATA and LIGHTSPY share similarities in their architecture and functionality.
  • The BrazenBamboo threat actor is believed to be state-affiliated and well-resourced.

    • MITRE Techniques

  • Credential Dumping (T1003): Extracts credentials from memory, specifically targeting FortiClient VPN processes.
  • Data Exfiltration (T1041): Utilizes DEEPPOST to exfiltrate files to remote systems via HTTPS.
  • Command and Control (T1071): Establishes communication channels for managing compromised systems.
  • Exploitation of Vulnerability (T1203): Exploits a zero-day vulnerability in FortiClient to extract credentials.

    • IoC:

  • [File Hash] SHA256: 666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724
  • [File Name] deepdata.zip
  • [File Name] localupload.exe
  • [File Hash] MD5: 533297a7084039bf6bda702b752e6b82
  • [File Hash] SHA1: 20214e2e93b1bb37108aa1b8666f6406fabca8a0
  • [File Hash] SHA256: f4e72145e761bcc8226353bb121eb8e549dc0000c6535bfa627795351037dc8e
  • [Others] BrazenBamboo threat actor, DEEPDATA malware family, LIGHTSPY malware family.

    • Full Research: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/

    Tags: full, TOOL, WINDOWS, VPN, CREDENTIAL, ZERO-DAY, VULNERABILITY, EXFILTRATION