{
  "name": "Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA",
  "slug": "weaponizing-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata",
  "description": "A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a modular post-exploitation tool for Windows, and LIGHTSPY, a multi-platform malware. DEEPDATA includes plugins for stealing credentials, collecting data from chat apps, and recording audio. The threat actor's infrastructure hosts various applications, including an email theft platform and a big data analysis platform for stolen data. Evidence suggests BrazenBamboo may be a private enterprise producing capabilities for governmental operators focused on domestic targets.",
  "published": "2024-11-16T14:01:06+00:00",
  "created_at": "2024-11-16T14:01:06+00:00",
  "modified_at": "2024-11-18T20:05:45+00:00",
  "created_at_opencti": "2024-11-16T14:01:06+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-11-16",
    "chinese threat actor",
    "credential-theft",
    "deepdata",
    "deeppost",
    "forticlient",
    "lightspy",
    "post-exploitation",
    "vpn",
    "zero-day"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:888e5f579da4222a",
        "name": "DeepPost",
        "slug": "deeppost"
      },
      {
        "id": "legacy:malware:1df8ac70dcd830ce",
        "name": "DeepData",
        "slug": "deepdata"
      },
      {
        "id": "93f07e6c-4a26-4f3f-a425-b64cdc946779",
        "name": "LightSpy",
        "slug": "lightspy"
      }
    ],
    "intrusion_sets": [
      {
        "id": "65ba9c33-d6a6-427e-a37d-5950595c6a87",
        "name": "BrazenBamboo",
        "slug": "brazenbamboo"
      }
    ],
    "attack_patterns": [
      {
        "id": "8142c537-ccb7-486e-a320-a51d2eac58db",
        "name": "T1552.002"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "f48eade0-2f45-4ff7-aa61-8ba887887f81",
        "name": "T1123"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Hong Kong"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/",
    "https://otx.alienvault.com/pulse/6738b3b24bc328fd786fdfb1"
  ]
}