Security researchers have identified a Chinese state-sponsored threat group, dubbed “BrazenBamboo,” actively exploiting an unpatched zero-day vulnerability in Fortinet’s FortiClient Windows VPN client.
The vulnerability allows attackers to extract sensitive credentials directly from the application’s memory.
This flaw has been reported to Fortinet since at least July, but as of November 20 2024, no patch has been released, leaving organizations utilizing the software at high risk of a cyber attack.
Details of the Exploit
BrazenBamboo employs a sophisticated post-exploitation toolkit named ‘DeepData.’ This modular malware includes a specific plugin targeting FortiClient, enabling the extraction of usernames, passwords, VPN server information, and other critical data from the client’s process memory. Notably, this vulnerability persists in the latest FortiClient version 7.4.0, indicating its relevance to recent software updates.
Volexity reported this vulnerability to Fortinet on July 18, 2024, and received acknowledgment on July 24, 2024. However, as of November 20, 2024, the issue remains unresolved, and no Common Vulnerabilities and Exposures (CVE) identifier has been assigned.
Technical Analysis
- DEEPDATA’s FortiClient plugin targets FortiClient’s process memory, extracting credentials such as usernames, passwords, VPN gateway details, and ports. The malware decrypts JSON objects found in memory where these credentials persist due to inadequate clearing mechanisms by the application.
- Attackers deploy DEEPDATA through a command-line loader, which decrypts and loads its core components stored within a virtual file system (VFS). The plugin for FortiClient resides in this VFS, making it readily accessible for exploitation.
- The extracted credentials are transmitted to command-and-control (C2) servers using another BrazenBamboo tool, DEEPPOST, which facilitates secure data exfiltration over HTTPS.
- Targeted Versions: The vulnerability is effective against FortiClient’s most recent release (v7.4.0) but not earlier versions, indicating a flaw tied to recent updates.
Indicators of Compromise (IoCs)
Organizations should monitor for the following indicators associated with DEEPDATA and BrazenBamboo activity:
- Unusual HTTPS traffic to unknown endpoints, often using port 29983.
- Presence of the following files on infected systems:
- data.dll (DEEPDATA Loader)
- mod.dat (DEEPDATA VFS)
- msenvico.dll (FortiClient plugin)
- Encrypted JSON objects in memory containing VPN credentials.
Recommendations & Mitigation
The exploitation of this vulnerability enables BrazenBamboo to gain unauthorized access to corporate networks, facilitating lateral movement and potential espionage activities. Given the absence of an official patch, organizations using FortiClient are advised to implement the following measures:
- Restrict VPN Access: Limit VPN usage to essential personnel and enforce strict access controls.
- Monitor for Unusual Activity: Vigilantly observe login attempts and network behavior for anomalies that may indicate compromise.
- Implement Network Segmentation: Isolate critical systems to prevent lateral movement in the event of a breach.
- Stay Informed: Regularly consult Fortinet’s advisories and security forums for updates regarding this vulnerability.
