One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8630529 |
| Date de publication | 2024-11-19 18:44:28 (vue: 2024-12-27 09:08:19) |
| Titre | Chinese Hackers Exploit Fortinet Zero-Day To Harvest VPN Credentials |
| Texte | Cybersecurity researchers at Volexity recently reported that a Chinese state-affiliated threat actor exploited an unpatched zero-day vulnerability in Fortinet’s Windows VPN client, FortiClient, to steal sensitive VPN credentials directly from memory.
\'BrazenBamboo,’ the suspected Chinese state-sponsored threat actor, is attributed to developing \'DEEPDATA,’ a modular post-exploitation malware for the Windows operating system that can extract credentials, record audio, and collect information from various apps.
Volexity also tracks BrazenBamboo as the developer of other malware families, such as LIGHTSPY and DEEPPOST. However, the company added that it does not necessarily link them to the operators utilizing them, as there could be multiple users.
During the analysis of the DEEPDATA malware family, the security researchers found that the malware\'s specialized FortiClient plugin exploited the vulnerability by extracting sensitive credentials such as usernames, passwords, remote gateways, and ports stored in JSON objects within the FortiClient VPN client\'s process memory.
According to cybersecurity experts, the DEEPDATA framework depends on a core dynamic-link library (DLL) component, “data.dll,” which is designed to decrypt and execute up to 12 unique plugins via an orchestrator for plugin execution named “frame.dll.”
Among these plugins is a newly identified “FortiClient” DLL, capable of extracting credentials and server information from the process memory of FortiClient VPN processes.
“Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client\'s process,” security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres wrote in a technical blog post on Friday.
The techniques applied by this plugin resemble a similar vulnerability discovered in 2016, in which credentials could be discovered in memory based on hardcoded offsets.
However, Volexity confirmed that the 2024 vulnerability is new and present in FortiClient version 7.4.0, which was the latest version at the time of the flaw’s discovery.
The cybersecurity firm reported the credential disclosure vulnerability to Fortinet on July 18, 2024, which was acknowledged on July 24, 2024. However, the issue remains unpatched to date, and no CVE has been assigned to it.
“Volexity\'s analysis provides evidence that BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity. The breadth and maturity of their capabilities indicates both a capable development function and operational requirements driving development output,” the cybersecurity firm notes.
Besides DEEPDATA, BrazenBamboo has also developed DEEPPOST, a post-exploitation data exfiltration tool for sending files to a remote system using HTTPS.
DEEPDATA and DEEPPOST, along with LIGHTSPY, a multi-platform malware family known to target multiple operating systems, including iOS and Windows, showcase the threat actor\'s advanced and powerful cyber espionage capabilities and the risk posed to unpatched systems and sensitive user data.
Until Fortinet officially acknowledges the reported vulnerability and rolls out a security patch, limiting VPN access and monitoring login activity for any irregularities is advisable.
Organizations that rely on Fortinet solutions are encouraged to remain vigilant, as the flaw could expose sensitive credentials if exploited.
Cybersecurity researchers at Volexity recently reported that a Chinese state-af |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | “data “frame 2016 2024 access according acknowledged acknowledges activity actor added advanced advisable affiliated allows along also among analysis any applied apps are assigned attributed audio based been besides blog both brazenbamboo breadth callum can capabilities capable charlie chinese client collect company component confirmed core could credential credentials cve cyber cybersecurity data date day decrypt deepdata deeppost depends designed developed developer developing development directly disclosure discovered discovery dll does driving during dynamic encouraged espionage evidence execute execution exfiltration experts exploit exploitation exploited expose extract extracting families family filename files firm flaw flaw’s forticlient fortinet fortinet’s found framework friday from function gardner gateways hackers hardcoded harvest has however https identified included including indicates information ios irregularities issue json july known latest library lightspy limiting link login longevity maintains malware maturity memory modular monitoring msenvico multi multiple named necessarily new newly not notes objects officially offsets operating operational operators orchestrator organizations other out output passwords patch paul platform plugin plugins ports posed post powerful present process processes provides rascagneres recently record rely remain remains remote reported requirements researchers resemble resourced risk rolls roxan security sending sensitive server showcase similar solutions specialized sponsored state steal stored such suspected system systems target technical techniques them these threat through time tool tracks unique unpatched unpatched zero until user usernames users using utilizing various version vigilant volexity vpn vulnerability well which who windows within wrote zero to “volexity |
| Tags | Malware Tool Vulnerability Threat Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.