A Chinese state-affiliated threat actor known as BrazenBamboo has been exploiting an unpatched vulnerability in Fortinet's FortiClient for Windows to extract sensitive VPN credentials. The attack leverages a modular post-exploitation framework called DEEPDATA, according to cybersecurity firm Volexity.
Volexity said it discovered the zero-day exploit in July 2024. DEEPDATA is a sophisticated tool designed to collect extensive data from compromised Windows devices. The tool's capabilities include a plugin specifically tailored to extract credentials directly from the FortiClient VPN process memory. The framework is modular and versatile, capable of adapting to various operational requirements.
Volexity alerted Fortinet to the vulnerability on July 18, 2024, but as of today, the issue remains unresolved, and no CVE identifier has been assigned.
The BrazenBamboo threat group is linked to several advanced malware families, including LIGHTSPY, DEEPDATA, and DEEPPOST. While Volexity tracks BrazenBamboo as the developer of these tools, the firm noted that multiple threat actors might be deploying them.
Volexity also found a previously undocumented Windows variant of LIGHTSPY, suggesting that the group continues to evolve its toolkit to target both Windows and mobile platforms.
The report comes amid mounting accusations of Chinese cyber-espionage targeting US critical infrastructure. Last week, the US authorities accused China-linked hackers of extensive cyber-espionage targeting multiple American telecom companies. According to a joint statement by the FBI and CISA, the attackers accessed customer call records and communications, focusing on individuals involved in government or political activities. They also intercepted surveillance data meant for US law enforcement, including information obtained through court-ordered requests.
According to recent media reports, T-Mobile, the second largest mobile carrier in the United States, was among the companies compromised in this campaign.
On the same note, attack surface management provider watchTowr reported a possible vulnerability in Fortinet’s products, dubbed “FortiJump Higher,” which could allow compromised FortiGate device to elevate privileges and take control of the FortiManager instance. The company says it is similar to the previously discovered vulnerability “FortiJump” (CVE-2024-47575), a critical authentication flaw in the FortiManager fgfmd daemon. FortiJump enables remote unauthenticated attackers to execute arbitrary commands across FortiManager devices. The flaw is actively exploited in the wild, often alongside another critical Fortinet vulnerability, CVE-2024-23113.