China-linked actor’s malware DeepData exploits FortiClient VPN zero-day


China-linked actor’s malware DeepData exploits FortiClient VPN zero-day

Pierluigi Paganini
China-linked actor's malware DeepData exploits FortiClient VPN zero-day November 19, 2024

China-linked actor's malware DeepData exploits FortiClient VPN zero-day

Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials.

Volexity researchers discovered a vulnerability in Fortinet’s Windows VPN client that China-linked threat actor BrazenBamboo abused in their DEEPDATA malware. BrazenBamboo is known to be the author of other malware families, including LIGHTSPY, DEEPDATA, and DEEPPOST.

DEEPDATA is a modular post-exploitation tool for Windows that allows operators to harvest sensitive information from infected systems. DEEPPOST is a post-exploitation data exfiltration tool used to send files to a remote system and LIGHTSPY is a modular spyware.

Experts noticed that due to this vulnerability, user credentials remain in process memory after a user authenticates to the VPN.

Volexity reported the vulnerability to the security vendor in July, however the flaw has yet to be addressed.

“Volexity verified the presence of these JSON objects in memory and confirmed this approach works against the latest version available at the time of discovery (v7.4.0). Notably, the same approach does not work against older versions of the Fortinet VPN client. Volexity reported this vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue on July 24, 2024.” reads the advisory. “At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number.”

Volexity’s report details the DeepData custom malware which is employed in espionage campaigns. The malware exploits the zero-day in Fortinet’s FortiClient to extract VPN credentials and server details from process memory.

DeepData can access and decrypt JSON objects, which contain credentials, in FortiClient’s process memory and exfiltrates them to the attacker’s server using DeepPost.

Once obtained the credentials, threat actors used them for initial network access, lateral movement, and data exfiltration.

Below are the DEEPDATA’s plugins identified by Volexity:

Plugin Name Plugin Capabilities
AccountInfo Steal credentials from 18 different sources on the compromised device.
AppData Collect data from WeChat, WhatsApp and Signal on the compromised device.
Audio Record audio on compromised devices.
ChatIndexedDb Steal databases from WhatsApp and Zalo chat clients.
FortiClient Extract credentials and server information from process memory of FortiClient VPN processes.
Outlook Collect contacts and emails from local Microsoft Outlook instances.
SocialSoft Steal data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications.
SoftwareList List installed software, folders, and files recursively from a base location.
SystemInfo Gather basic enumeration information from the compromised device.
TdMonitor Hook Telegram to retrieve messages from the application.
WebBrowser Collect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers.
WifiList Collect details of stored WiFi keys and nearby hotspots.

The researchers recommend restricting VPN access and monitoring for anomalous login activity, they also released indicators of compromise (IoCs) associated with this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DeepData)







Source link