Security

China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer

No word on when or if the issue will be fixed


Chinese government-linked snoops are exploiting a zero-day bug in Fortinet's Windows VPN client to steal credentials and other information, according to memory forensics outfit Volexity.

The Volexity threat intelligence team reported the zero-day vulnerability to Fortinet on July 18 after identifying its exploitation in the wild. Fortinet acknowledged the issue on July 24, according to a November 15 report by the vendor’s Callum Roxan, Charlie Gardner, and Paul Rascagneres.

"At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number," the trio wrote.

Fortinet did not respond to The Register's inquiries regarding a fix for the flaw and whether the vendor is aware of anyone exploiting the vulnerability. We will update this story if Fortinet replies.

According to Volexity, however, a Beijing-backed crew it tracks as “BrazenBamboo” has been exploiting the Fortinet flaw and also developed a post-exploit tool for Windows dubbed “DeepData”. This is a modular malware that, among other capabilities, can extract credentials from FortiClient VPN client process memory.

Volexity found the Fortinet zero-day in July while analyzing a new sample of DeepData that has at least 12 unique plugins attackers can use for all sorts of criminal activity after infecting victims' machines. This includes the FortiClient plugin that steals credential from the memory of FortiClient VPN processes.

Some of the other DeepData plugins can be used to steal credentials from 18 other sources on the compromised device. The malware can also:

"The FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory," Veloxity’s threat hunters wrote, noting that this is similar to a previous bug documented in 2016.

The new vulnerability, we're told, is due to Fortinet not clearing credentials and other sensitive data from memory after user authentication. It only affects recent versions of the Fortinet VPN client, including the latest, v7.4.0.

BrazenBamboo also developed DeepPost, a tool used to steal files from compromised systems.

The group allegedly also worked on LightSpy, a malware family isn't new first spotted in 2020 by Kaspersky and Trend Micro.

Volexity thinks BrazenBamboo developed a new version of LightSpy for Windows that, unlike the macOS variant, is mostly executed in memory. The malware includes plugins to record keystrokes, audio, and video; collect cookies, stored credentials, and details on installed software and services; and provide a remote shell for the attacker to maintain access and execute commands.

"The timestamps associated with the latest payloads for DEEPDATA and LIGHTSPY are evidence that both malware families continue to be developed," Volexity's team wrote.

Until and unless Fortinet issues a fix, it is recommended that organizations use these rules to detect potentially malicious activity, and block these indicators of compromise (IOCs). ®

Send us news
2 Comments

How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

'It's a double-edged sword,' security researchers tell The Reg

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

Also sanctions his employer – an outfit called Sichuan Silence linked to Ragnarok ransomware

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

China's Salt Typhoon recorded top American officials' calls, says White House

No word yet on who was snooped on. Any bets?

Blocking Chinese spies from intercepting calls? There ought to be a law

Sen. Wyden blasts FCC's 'failure' amid Salt Typhoon hacks

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Phishers cast wide net with spoofed Google Calendar invites

Not that you needed another reason to enable the 'known senders' setting

Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks

IOCONTROL targets IoT and OT devices from a ton of makers, apparently