Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

Warning: DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials

https://firewall.firm.in/wp-content/uploads/2024/11/lock.png

A threat actor known as BrazenBamboo has exploited an unresolved security flaw in Fortinet’s FortiClient for Windows to extract VPN credentials as part of a modular framework called DEEPDATA.

Volexity, which disclosed the findings Friday, said it identified the zero-day exploitation of the credential disclosure vulnerability in July 2024, describing BrazenBamboo as the developer behind DEEPDATA, DEEPPOST, and LightSpy.

“DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices,” security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said Friday.

The malware first came to light earlier this week, when BlackBerry detailed the Windows-based surveillance framework as used by the China-linked APT41 threat actor to harvest data from WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass, as well as application passwords, web browser information, Wi-Fi hotspots, and installed software.

Cybersecurity

“Since their initial development of the LightSpy spyware implant in 2022, the attacker has been persistently and methodically working on the strategic targeting of communication platforms, with the emphasis on stealth and persistent access,” the BlackBerry threat research team noted.

The core component of DEEPDATA is a dynamic-link library (DLL) loader called “data.dll” that’s engineered to decrypt and launch 12 different plugins using an orchestrator module (“frame.dll”). Present among the plugins is a previously undocumented “FortiClient” DLL that can capture VPN credentials.

“This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client’s process,” the researchers said.

Volexity said it reported the flaw to Fortinet on July 18, 2024, but noted that the vulnerability remains unpatched. The Hacker News has reached out to the company for comment, and we will update the story if we hear back.

Another tool that’s part of BrazenBamboo’s malware portfolio is DEEPPOST, a post-exploitation data exfiltration tool that’s capable of exfiltrating files to a remote endpoint.

DEEPDATA and DEEPPOST add to the threat actor’s already powerful cyber espionage capabilities, expanding on LightSpy, which comes in different flavors for macOS, iOS, and now Windows.

“The architecture for the Windows variant of LightSpy is different from other documented OS variants,” Volexity said. “This variant is deployed by an installer that deploys a library to execute shellcode in memory. The shellcode downloads and decodes the orchestrator component from the [command-and-control] server.”

The orchestrator is executed by means of a loader called BH_A006, which has been previously put to use as early as by a suspected Chinese threat group referred to as Space Pirates, which has a history of targeting Russian entities.

Cybersecurity

That said, it’s currently not clear if this overlap is due to whether BH_A006 is a commercially available malware or is evidence of a digital quartermaster that’s responsible for overseeing a centralized pool of tools and techniques among Chinese threat actors.

The LightSpy orchestrator, once launched, uses WebSocket and HTTPS for communication for data exfiltration, respectively, and leverages as many as eight plugins to record webcam, launch a remote shell to execute commands, and collect audio, browser data, files, keystrokes, screen captures, and a list of installed software.

LightSpy and DEEPDATA share several code- and infrastructure-level overlaps, suggesting that the two malware families are likely the work of a private enterprise that has been tasked with developing hacking tools for governmental operators, as evidenced by companies like Chengdu 404 and I-Soon.

“BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity,” Volexity concluded. “The breadth and maturity of their capabilities indicates both a capable development function and operational requirements driving development output.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket