China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer

Chinese government-linked snoops are exploiting a zero-day bug in Fortinet's Windows VPN client to steal credentials and other information, according to memory forensics outfit Volexity.

The Volexity threat intelligence team reported the zero-day vulnerability to Fortinet on July 18 after identifying its exploitation in the wild. Fortinet acknowledged the issue on July 24, according to a November 15 report by the vendor’s Callum Roxan, Charlie Gardner, and Paul Rascagneres.

"At the time of writing, this issue remains unresolved and Volexity is not aware of an assigned CVE number," the trio wrote.

Fortinet did not respond to The Register's inquiries regarding a fix for the flaw and whether the vendor is aware of anyone exploiting the vulnerability. We will update this story if Fortinet replies.

According to Volexity, however, a Beijing-backed crew it tracks as “BrazenBamboo” has been exploiting the Fortinet flaw and also developed a post-exploit tool for Windows dubbed “DeepData”. This is a modular malware that, among other capabilities, can extract credentials from FortiClient VPN client process memory.

Volexity found the Fortinet zero-day in July while analyzing a new sample of DeepData that has at least 12 unique plugins attackers can use for all sorts of criminal activity after infecting victims' machines. This includes the FortiClient plugin that steals credential from the memory of FortiClient VPN processes.

Some of the other DeepData plugins can be used to steal credentials from 18 other sources on the compromised device. The malware can also:

• Scoop up data from WeChat, WhatsApp, and Signal;
• Record audio; collect contacts and emails from local Microsoft Outlook instances
• Steal messages and data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications;
• Collect history, cookies, and passwords from Firefox, Chrome, Opera, and Edge web browsers.

"The FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory," Veloxity’s threat hunters wrote, noting that this is similar to a previous bug documented in 2016.

The new vulnerability, we're told, is due to Fortinet not clearing credentials and other sensitive data from memory after user authentication. It only affects recent versions of the Fortinet VPN client, including the latest, v7.4.0.

• Fortinet patches VPN app flaw that could give rogue users, malware a privilege boost
• Palo Alto Networks tackles firewall-busting zero-days with critical patches
• Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit
• Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble

BrazenBamboo also developed DeepPost, a tool used to steal files from compromised systems.

The group allegedly also worked on LightSpy, a malware family isn't new first spotted in 2020 by Kaspersky and Trend Micro.

Volexity thinks BrazenBamboo developed a new version of LightSpy for Windows that, unlike the macOS variant, is mostly executed in memory. The malware includes plugins to record keystrokes, audio, and video; collect cookies, stored credentials, and details on installed software and services; and provide a remote shell for the attacker to maintain access and execute commands.

"The timestamps associated with the latest payloads for DEEPDATA and LIGHTSPY are evidence that both malware families continue to be developed," Volexity's team wrote.

Until and unless Fortinet issues a fix, it is recommended that organizations use these rules to detect potentially malicious activity, and block these indicators of compromise (IOCs). ®