Full Report
[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024, Fortinet published a public acknowledgement of the issue, affected versions, as well as patching & workaround advice.] KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinet's Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the LIGHTSPY malware family. LIGHTSPY variants have been discovered for all major operating systems, including iOS, and Volexity has recently discovered a new Windows variant. In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. […] The post BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA appeared first on Volexity.
Analysis Summary
# Threat Actor: BrazenBamboo
## Attribution & Identity
Attributed by Volexity to a **Chinese state-affiliated threat actor**.
Known Aliases/Associated Groups: Developer of the **LIGHTSPY**, **DEEPDATA**, and **DEEPPOST** malware families. Volexity tracks BrazenBamboo as the developer, not necessarily the sole operator.
## Activity Summary
Volexity identified exploitation of a **zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client (FortiClient)** in July 2024. This exploitation was used in conjunction with the **DEEPDATA** malware to steal credentials from the client's process memory. The actor utilizes the **DEEPPOST** malware to exfiltrate files from compromised systems. BrazenBamboo is also developing a new, undocumented Windows variant of **LIGHTSPY**.
## Tactics, Techniques & Procedures
The TTPs detailed revolve around post-exploitation data gathering and credential theft:
- **Exploitation of Third-Party Software Zero-Day:** Exploited an unpatched vulnerability in Fortinet FortiClient (Windows VPN client) to disclose user credentials remaining in process memory post-authentication.
- **Credential Access:** Specific plugin designed within DEEPDATA to extract credentials from FortiClient VPN client process memory.
- **Modular Post-Exploitation:** Use of DEEPDATA, a modular tool allowing for plugin execution and extensive information gathering.
- **Data Staging/Obfuscation:** Use of **DEEPDATA**'s Virtual File System (VFS) structure (`mod.dat`) to store core components encrypted.
- **Execution Flow:** Use of a loader (`data.dll`) to decrypt and execute core components, often involving **Heaven’s Gate** code in `ffmpeg.dll` to load 32-bit code into 64-bit processes.
- **Data Collection via Plugins:** Plugins used to collect:
- Instant messaging app data (WeChat, Line, Feishu forensics, chat contents).
- Browser data (access records, cookie, password information).
- Email forensics (NetEase, QQ, Gmail, etc., including account, folder, and EML content).
- System basic information (hostname, IP, OS, hardware specs).
- **File Exfiltration:** Use of **DEEPPOST** for exfiltrating files from compromised systems.
- **Data Forensics:** Techniques for collecting local data such as WeChat and Feishu data using dedicated libraries (`iumdll.dll`, `ucrtbase_enclave.dll`).
## Targeting
- Sectors: Not explicitly listed, but the targeting of VPN credentials and corporate communication/collaboration data suggests focus on organizations utilizing these VPNs (likely enterprises/government).
- Geography: Not explicitly stated, but associated with a Chinese state actor.
- Victims: No specific named victim organizations were mentioned in the summary.
## Tools & Infrastructure
- **Malware Families:**
- **DEEPDATA:** Modular post-exploitation tool for Windows.
- **DEEPPOST:** Used for file exfiltration.
- **LIGHTSPY:** Malware family with variants across major OSes, including a newly discovered Windows variant.
- **DEEPDATA Components:**
- Loader (`data.dll`).
- Virtual File System (`mod.dat`).
- Plugins for specific data collection.
- Core components including shellcode (`frame.dll`), Heaven's Gate code (`ffmpeg.dll`), and libraries for log collection (`vertdll.dll`), WeChat collection (`iumdll.dll`), and Feishu collection (`ucrtbase_enclave.dll`).
- **Infrastructure:** Associated with a wider Command-and-Control (C2) infrastructure, though specific indicators were not provided in the summary.
## Implications
BrazenBamboo demonstrates a high level of sophistication by exploiting a zero-day vulnerability in widely used endpoint security/VPN technology (FortiClient) specifically to harvest VPN session credentials. Their multi-faceted malware suite (LIGHTSPY, DEEPDATA, DEEPPOST) indicates a focus on persistent access, comprehensive data harvesting (including niche applications like WeChat and Feishu), and systematic exfiltration, consistent with state-sponsored espionage objectives.
## Mitigations
- **Patch Management:** Promptly apply vendor patches for security vulnerabilities, especially those in high-profile security software like VPN clients. (Note: Fortinet issued acknowledgement and patching advice on December 18, 2024).
- **Memory Monitoring:** Implement advanced endpoint detection and response (EDR) capabilities capable of monitoring process memory for suspicious credential harvesting techniques or abnormal process behavior (e.g., Heaven's Gate usage).
- **Application Control:** Monitor for the execution of unknown loaders and the invocation of custom, signed files acting as malware components.
- **Credential Hygiene:** Review and enforce policies to limit the scope of user access obtained via VPN credentials, potentially by utilizing MFA or shorter session lifetimes.