Ethical Hacking News
A critical zero-day vulnerability has been discovered in Fortinet's Windows VPN client, allowing a China-linked group called BrazenBamboo to steal sensitive information. The bug remains unresolved, leaving users vulnerable to attacks until a patch is issued by Fortinet.
The Fortinet Windows VPN client has a critical zero-day vulnerability that allows attackers to steal credentials and sensitive information. The vulnerability remains unresolved, leaving users vulnerable to attacks. The bug is due to the VPN client not clearing sensitive data from memory after user authentication. BrazenBamboo, a China-linked group, is exploiting this vulnerability to steal credentials and other information. Another malware tool called "DeepPost" can be used to steal files from compromised systems. The group has continued to develop and improve its tools, indicating high sophistication and organization. Organizations are advised to patch their systems, implement security measures, and monitor for suspicious activity.
A recent discovery by memory forensics outfit Volexity has shed light on a critical zero-day vulnerability in Fortinet's Windows VPN client, which is being exploited by a China-linked group known as "BrazenBamboo" to steal credentials and other sensitive information. The bug, which was identified in July 2024, remains unresolved, leaving users vulnerable to attacks that can compromise their personal data and gain unauthorized access to systems.
According to Volexity's threat intelligence team, the zero-day vulnerability is due to Fortinet not clearing credentials and other sensitive data from memory after user authentication. This bug affects recent versions of the Fortinet VPN client, including the latest, v7.4.0. The group allegedly developed a post-exploit tool called "DeepData" that can extract credentials from FortiClient VPN client process memory. DeepData is a modular malware that also has capabilities to scoop up data from WeChat, WhatsApp, and Signal; record audio; collect contacts and emails from local Microsoft Outlook instances; steal messages and data from various messaging apps; collect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers.
BrazenBamboo is a Beijing-backed crew that has been linked to several other high-profile cyber attacks in recent years. The group allegedly developed another tool called "DeepPost" to steal files from compromised systems. Additionally, BrazenBamboo worked on LightSpy, a malware family first spotted in 2020 by Kaspersky and Trend Micro. Volexity believes that the group recently developed a new version of LightSpy for Windows that is mostly executed in memory.
The timestamps associated with the latest payloads for DEEPDATA and LIGHTSPY are evidence that both malware families continue to be developed, according to Volexity's team. The fact that BrazenBamboo has continued to develop and improve its tools suggests a high level of sophistication and organization within the group.
Until Fortinet issues a fix for this critical vulnerability, it is recommended that organizations use these rules to detect potentially malicious activity, and block these indicators of compromise (IOCs). Users are advised to take immediate action to patch their systems and implement additional security measures to prevent potential attacks.
The discovery of this zero-day exploit highlights the ongoing threats posed by sophisticated cyber groups and the importance of staying vigilant in protecting against advanced persistent threats. As organizations continue to evolve and become more dependent on cloud-based services, it is essential that they prioritize robust cybersecurity measures to mitigate these risks.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/11/19/china_brazenbamboo_fortinet_0day/
https://www.msn.com/en-us/money/other/china-linked-group-abuses-fortinet-0-day-with-post-exploit-vpn-credential-stealer/ar-AA1uo9YV
https://www.techworm.net/2024/11/chinese-hackers-exploit-fortinet-zero-day-vpn-credentials.html
Published: Tue Nov 19 18:09:38 2024 by llama3.2 3B Q4_K_M
