BrazenBamboo APT Exploiting FortiClient Zero-Day to Steal User Credentials

A sophisticated cyber espionage campaign conducted by a threat actor known as BrazenBamboo. The group is exploiting an unpatched vulnerability in Fortinet’s FortiClient VPN software for Windows to steal user credentials, as part of a broader attack using a modular malware framework called DEEPDATA.

The zero-day vulnerability, discovered in July 2024, allows attackers to extract VPN credentials from the memory of FortiClient processes. This flaw affects even the latest version of FortiClient (v7.4.0) available at the time of discovery.

BrazenBamboo, believed to be a Chinese state-affiliated threat actor, has developed multiple malware families including DEEPDATA, DEEPPOST, and LIGHTSPY.
BrazenBamboo APT

The DEEPDATA framework consists of a loader (data.dll) and various plugins designed to gather sensitive information from compromised Windows systems.

The FortiClient exploit is implemented through a plugin named “msenvico.dll,” which extracts usernames, passwords, remote gateways, and ports from JSON objects in the VPN client’s memory.

This technique is reminiscent of a similar vulnerability discovered in 2016, though the current exploit affects newer versions of FortiClient.

DEEPDATA’s capabilities extend beyond credential theft, encompassing the collection of data from popular messaging apps, browsers, and email clients. The malware can also record audio, capture keystrokes, and exfiltrate files from infected systems.

Volexity’s analysis reveals that BrazenBamboo maintains a sophisticated infrastructure for command and control (C2) operations. The group uses multiple servers for hosting malware payloads and management applications, with evidence suggesting ongoing development of their tools.

The researchers assess with medium confidence that BrazenBamboo is likely a private enterprise producing capabilities for government operators focused on domestic targets. This assessment is based on the language used in C2 infrastructure, architectural decisions in malware development, and the continued operation despite public exposure.

Volexity reported the FortiClient vulnerability to Fortinet on July 18, 2024, and Fortinet acknowledged the issue on July 24, 2024. However, as of the time of Volexity’s report (November 2024), the issue remains unresolved and no CVE number has been assigned.

The discovery of this campaign highlights the persistent threat posed by well-resourced APT groups and the importance of prompt patching. Organizations using FortiClient VPN are advised to monitor for updates from Fortinet and implement additional security measures to protect sensitive credentials.

As the threat landscape continues to evolve, cybersecurity professionals must remain vigilant against sophisticated actors like BrazenBamboo, who demonstrate the ability to exploit zero-day vulnerabilities in widely-used security software.

Posted in Cybersecurity

Leave a Comment

Your email address will not be published. Required fields are marked *

*
*