216.73.217.80

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

· Published 16/11/2024 15:01 · Modified 18/11/2024 21:05

Export JSON

Essential information

Published
16/11/2024 15:01
Modified
18/11/2024 21:05
Tags
2024-11-16 chinese threat actor credential-theft deepdata deeppost forticlient lightspy post-exploitation vpn zero-day
Related entities
1 intrusion sets (apt), 12 techniques (mitre), 3 malware, 2 others

Description

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a vulnerability in Fortinet's Windows client to steal user credentials. The vulnerability allows extraction of login information from the process memory. BrazenBamboo uses two malware families: , a modular tool for Windows, and , a multi-platform malware. includes plugins for stealing credentials, collecting data from chat apps, and recording audio. The threat actor's infrastructure hosts various applications, including an email theft platform and a big data analysis platform for stolen data. Evidence suggests BrazenBamboo may be a private enterprise producing capabilities for governmental operators focused on domestic targets.

External references