Contact

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

NetmanageIT OpenCTI - opencti.netmanageit.com

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA



SUMMARY :

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a modular post-exploitation tool for Windows, and LIGHTSPY, a multi-platform malware. DEEPDATA includes plugins for stealing credentials, collecting data from chat apps, and recording audio. The threat actor's infrastructure hosts various applications, including an email theft platform and a big data analysis platform for stolen data. Evidence suggests BrazenBamboo may be a private enterprise producing capabilities for governmental operators focused on domestic targets.

OPENCTI LABELS :

vpn,credential theft,zero-day,lightspy,post-exploitation,chinese threat actor,deeppost,deepdata,forticlient


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA