A security vulnerability in Fortinet’s FortiClient for Windows has been exploited by the threat group known as **BrazenBamboo**, allowing them to extract VPN credentials using a modular framework named **DEEPDATA**. This exploitation was disclosed by Volexity, which reported the zero-day vulnerability’s emergence in July 2024. BrazenBamboo is also linked to other malicious tools like DEEPPOST and [LightSpy](https://thehackernews.com/2024/10/new-lightspy-spyware-version-targets.html), underscoring the breadth of their cyber operations.
According to Volexity, DEEPDATA is a sophisticated post-exploitation tool specifically designed for Windows systems, facilitating extensive data collection from compromised devices. Security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres provided a detailed report on the capabilities of DEEPDATA, noting its modular nature that allows it to gather diverse information ranging from application passwords to network settings.
The malware gained attention earlier this week after BlackBerry detailed the surveillance framework’s deployment by the China-linked threat actor APT41. This framework is reportedly used to harvest sensitive data from messaging platforms including WhatsApp, Telegram, and Signal, as well as browser information and installed software.
Notably, the core of DEEPDATA comprises a dynamic-link library (DLL) loader referred to as “data.dll,” which is capable of decrypting and launching various plugins through an orchestrator module called “frame.dll.” Among the available plugins is a previously undocumented FortiClient DLL that exploits the aforementioned vulnerability to capture VPN credentials directly from the client’s memory.
Researchers at Volexity revealed they reported this critical flaw to Fortinet on July 18, 2024, yet, as of now, the vulnerability remains unpatched. The growing concern regarding this oversight is tangible, as the attack potentially permits unauthorized access to sensitive networks, which could have significant repercussions for organizations relying on Fortinet’s products. The Hacker News has reached out to Fortinet for comment and will provide updates accordingly.
In addition to DEEPDATA, BrazenBamboo leverages DEEPPOST, another tool aimed at post-exploitation data exfiltration, allowing attackers to siphon files to remote endpoints. The synergy between DEEPDATA and DEEPPOST illustrates an advanced level of cyber espionage capabilities that adds layers of complexity to the threat landscape.
LightSpy, which emerged in 2022, has evolved to target multiple operating systems, including macOS, iOS, and now Windows. This evolution reflects the group’s strategic emphasis on communication platforms, wherein they pursue stealthy yet persistent access to sensitive information.
The infrastructure supporting LightSpy and DEEPDATA suggests a private enterprise-level development ethos, akin to that seen in state-sponsored hacking initiatives. The systematic approach observed in these operations signals a well-resourced adversary committed to ongoing development and strategic targeting.
In terms of the MITRE ATT&CK framework, techniques correlating with BrazenBamboo’s operations could include initial access through exploitation of software vulnerabilities, persistence via the installation of malware, and credential access through memory scraping. Further investigation into these tactics will be essential for organizations to mitigate risks associated with such advanced threats.
As cyber threats continue to evolve, maintaining robust security practices is imperative for businesses to protect sensitive data. Awareness of vulnerabilities like the one in FortiClient and an understanding of tactics employed by sophisticated threat actors can aid organizations in reinforcing their defenses against potential exploits.
