- Researchers detect Chinese threat actor stealing Fortinet VPN login credentials
- Thefts carried out thanks to a vulnerability discovered in 2023
- The bug has not yet been fixed, it has not even been assigned a CVE
Cybersecurity researchers have revealed that for months now, Fortinet's Windows VPN client has been vulnerable to a flaw that allows threat actors to steal user credentials, and Chinese hackers have reportedly begun exploiting the bug. and steal the data.
Volexity experts have published a detailed report on a malware called DeepData. This malware was used by a Chinese threat actor known as BrazenBamboo to steal login credentials and VPN server information from Fortinet VPNs.
As experts explain, after a user logs into the VPN, the user's credentials remain in the process memory. DeepData can find and decrypt JSON objects in the client's process memory, effectively stealing the information. As a final step, DeepData can leak the information to a server under the attackers' control.
SassyBamboo
Volexity found the vulnerability in early July 2024 and reported it to Fortinet. The company acknowledged the issue on July 24, however, it never acted on the findings and the vulnerability has not yet been resolved. It wasn't even assigned a CVE number and there's no indication of when, if ever, a fix might be available.
The findings are disturbing as Fortinet VPNs are used by many organizations of all sizes, around the world. By obtaining login credentials, cybercriminals can gain access to company networks, allowing them to move laterally, steal more information, and potentially even deploy ransomware.
Until a patch is available, Volexity advises users to restrict access to the VPN and be on the lookout for unusual login activity.
BrazenBamboo appears to be a state-sponsored threat actor, meaning it is on China's payroll. Researchers believe the group was the one that developed three known malware families: Lightspy, DeepData and DeepPost. Unlike North Korean groups, which do not shy away from deploying ransomware or other destructive malware, Chinese groups are primarily interested in cyberespionage and, as such, typically go to great lengths to remain hidden for as long as possible.
Through beepcomputer