Volexity Identifies Vulnerability in Fortinet's FortiClient VPN
/ 3 min read
Quick take - In July 2024, Volexity discovered a significant vulnerability in Fortinet’s FortiClient VPN that allows user credentials to persist in memory, which has been exploited by the threat actor BrazenBamboo using their DEEPDATA malware, while Fortinet acknowledged the issue shortly after it was reported, but the vulnerability remains unresolved.
Fast Facts
- In July 2024, Volexity discovered a zero-day vulnerability in Fortinet’s FortiClient VPN, allowing user credentials to persist in memory post-authentication.
- The vulnerability was exploited by the threat actor BrazenBamboo using their DEEPDATA malware, which includes plugins for credential theft and data exfiltration.
- Fortinet acknowledged the vulnerability reported by Volexity on July 18, 2024, but it remains unresolved and lacks a CVE number.
- BrazenBamboo is linked to the LIGHTSPY malware family, which targets multiple platforms and has a complex command-and-control infrastructure.
- Volexity recommends implementing detection rules and blocking indicators of compromise to mitigate risks associated with BrazenBamboo’s malware.
Significant Vulnerability Discovered in Fortinet’s FortiClient
In July 2024, cybersecurity firm Volexity uncovered a significant vulnerability in Fortinet’s Windows VPN client, FortiClient. This vulnerability allows user credentials to persist in process memory after authentication. The zero-day credential disclosure vulnerability was exploited by the threat actor known as BrazenBamboo, who utilized their sophisticated DEEPDATA malware to exploit this vulnerability.
Details of the Vulnerability
DEEPDATA is a modular post-exploitation tool designed for Windows systems. The vulnerability was identified during the analysis of a DEEPDATA sample, which included a specific plugin crafted to extract credentials from the FortiClient process memory. Volexity reported the vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue six days later. As of the latest updates, the vulnerability remains unresolved and does not yet have an assigned Common Vulnerabilities and Exposures (CVE) number.
DEEPDATA is characterized by its various components, including a loader, virtual file system, and core elements, which execute without requiring additional parameters. Among the 12 unique plugins identified for DEEPDATA, some are capable of stealing credentials, while others can record audio and extract data from messaging applications. Notably, the DEEPPOST malware is utilized for data exfiltration, allowing the malware to send files to remote systems via HTTPS.
Connection to LIGHTSPY Malware
BrazenBamboo is also linked to the LIGHTSPY malware family, which has been active since at least 2020 and targets individuals across various platforms, including iOS. A recently discovered Windows variant of LIGHTSPY employs a more complex architecture and uses a more advanced encoding algorithm compared to its predecessors. The command-and-control (C2) infrastructure supporting LIGHTSPY comprises 26 active hosts, with development ongoing since 2019. The execution chain for LIGHTSPY includes a UDP handshake for server communication, as well as WebSocket and HTTPS for data transmission.
There are notable overlaps between DEEPDATA and LIGHTSPY, including plugin functionality, C2 infrastructure, and developmental paths. Public reports indicate shared IP addresses and certificates between DEEPDATA and other malware families. Volexity assesses that BrazenBamboo is a well-resourced threat actor with multi-platform capabilities and a history of operational longevity. The analysis suggests that BrazenBamboo may function as a private enterprise providing advanced capabilities for governmental operators focused on domestic targets.
Recommendations for Mitigation
To mitigate the risks associated with these threats, Volexity recommends implementing specific detection rules and blocking identified indicators of compromise (IOCs). Volexity Volcano, a memory analysis framework, can assist in investigating systems potentially compromised by BrazenBamboo’s malware. As the situation evolves, the cybersecurity community continues to monitor these developments closely.
Original Source: Read the Full Article Here
