Update now: Fortinet Windows VPN has been hacked to steal user data
- Researchers see a Chinese threat actor stealing Fortinet VPN credentials
- Thefts committed using a vulnerability discovered in 2023
- The bug has yet to be addressed or even assigned a CVE
Cybersecurity researchers have revealed that Fortinet’s Windows VPN client has been vulnerable to a flaw that allows threat actors to steal user data for months – and Chinese hackers have now reportedly started exploiting the bug and stealing the data.
Experts from Volexity have published an in-depth report on a piece of malware called DeepData. This malware was used by a Chinese threat actor known as BrazenBamboo to steal login credentials and VPN server information from Fortinet VPNs.
As the experts explain, user credentials remain in process memory after a user logs in to the VPN. DeepData can find and decode JSON objects in the client’s process memory, effectively stealing the information. As a final step, DeepData can exfiltrate the information to a server under the attackers’ control.
BrazenBamboo
Volexity discovered the vulnerability in early July 2024 and reported it to Fortinet. The company acknowledged the issue on July 24, but never took action on the findings and the vulnerability remains unresolved. It wasn’t even assigned a CVE number, and there’s no indication when a fix might be available, if ever.
The findings are troubling because Fortinet’s VPNs are used by many organizations of all sizes, around the world. By obtaining credentials, cybercriminals can gain access to corporate networks, allowing them to move laterally, steal more information, and possibly even deploy ransomware.
Until a patch becomes available, Volexity advises users to limit VPN access and keep an eye out for unusual login activity.
BrazenBamboo appears to be a state-sponsored threat actor, meaning it is on China’s payroll. The researchers believe the group was the one that developed three well-known malware families: Lightspy, DeepData and DeepPost. Unlike North Korean groups, which do not shy away from deploying ransomware or other destructive malware, Chinese groups are primarily interested in cyber espionage and therefore usually do their best to remain hidden for as long as possible.
Via BleepingComputer