Chinese Hackers Exploit Fortinet Zero-Day To Harvest VPN Credentials

Cybersecurity researchers at Volexity recently reported that a Chinese state-affiliated threat actor exploited an unpatchedย zero-day vulnerability in Fortinet’s Windows VPN client, FortiClient,ย to steal sensitive VPN credentials directly from memory.

โ€˜BrazenBamboo,’ the suspected Chinese state-sponsored threat actor, is attributed to developing โ€˜DEEPDATA,’ a modular post-exploitation malware for the Windows operating system that can extract credentials, record audio, and collect information from various apps.

Volexity also tracks BrazenBamboo as the developer of other malware families, such as LIGHTSPY and DEEPPOST. However, the company added that it does not necessarily link them to the operators utilizing them, as there could be multiple users.

During the analysis of the DEEPDATA malware family, the security researchers found that the malwareโ€™s specialized FortiClient plugin exploited the vulnerability by extracting sensitive credentials such as usernames, passwords, remote gateways, and ports stored in JSON objects within the FortiClient VPN clientโ€™s process memory.

According to cybersecurity experts, the DEEPDATA framework depends on a core dynamic-link library (DLL) component, “data.dll,” which is designed to decrypt and execute up to 12 unique plugins via an orchestrator for plugin execution named “frame.dll.”

Among these plugins is a newly identified “FortiClient” DLL, capable of extracting credentials and server information from the process memory of FortiClient VPN processes.

โ€œVolexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the clientโ€™s process,โ€ security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres wrote in a technical blog post on Friday.

The techniques applied by this plugin resemble a similar vulnerability discovered in 2016, in which credentials could be discovered in memory based on hardcoded offsets.

However, Volexity confirmed that the 2024 vulnerability is new and present in FortiClient version 7.4.0, which was the latest version at the time of the flaw’s discovery.

The cybersecurity firm reported the credential disclosure vulnerability to Fortinet on July 18, 2024, which was acknowledged on July 24, 2024. However, the issue remains unpatched to date, and no CVE has been assigned to it.

โ€œVolexityโ€™s analysis provides evidence that BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity. The breadth and maturity of their capabilities indicates both a capable development function and operational requirements driving development output,โ€ the cybersecurity firm notes.

Besides DEEPDATA, BrazenBamboo has also developed DEEPPOST, a post-exploitation data exfiltration tool for sending files to a remote system using HTTPS.

DEEPDATA and DEEPPOST, along with LIGHTSPY, a multi-platform malware family known to target multiple operating systems, including iOS and Windows, showcase the threat actorโ€™s advanced and powerful cyber espionage capabilities and the risk posed to unpatched systems and sensitive user data.

Until Fortinet officially acknowledges the reported vulnerability and rolls out a security patch, limiting VPN access and monitoring login activity for any irregularities is advisable.

Organizations that rely on Fortinet solutions are encouraged to remain vigilant, as the flaw could expose sensitive credentials if exploited.

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!
spot_img

Read More

Suggested Post