A Chinese state-sponsored actor abused an unpatched, unreported Fortinet vulnerability, despite the fact that the flaw was reported to the security firm in July.
Volexity, a threat intelligence vendor, published research earlier this week referencing a new zero-day flaw -- one without a current CVE designation -- that allowed a Chinese state-sponsored actor known as "BrazenBamboo" to steal credentials in instances of Fortinet's Windows VPN client, FortiClient.
Perhaps most notably, Volexity stated that it disclosed the issue to Fortinet on July 18, with the latter acknowledging the report on July 24. "At the time of writing, this issue remains unresolved, and Volexity is not aware of an assigned CVE number," Volexity researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres said in the blog post.
Volexity's report lacks a description of the flaw itself. The researchers of the study identified a "zero-day credential disclosure flaw in Fortinet's Windows VPN client that allowed credentials to be stolen from the memory of the client's process." The blog also provides YARA rules, indicators of compromise, and an in-depth look at BrazenBamboo's "Deepdata" post-exploitation tool, which was employed in threat activity targeting the vulnerability.
Roxan, Gardner, and Rascagneres said that their investigation began with the identification of an archive file associated with BrazenBamboo, which could be linked to a known Chinese advanced persistent threat (APT) group. The researchers uncovered files in the package related to Windows malware families known as "Deepdata" and "Deeppost," as well as a Windows form of LightSpy malware.
Deepdata, according to Volexity researchers, is a modular utility for Windows that "facilitates the collection of private data from a compromised system," and requires the perpetrator to have command-line access to the target device. It features both a loader and a virtual file system. Deeppost is a post-exploitation data exfiltration program that transfers files to a remote system. The researchers discovered the Fortinet zero day after uncovering a FortiClient plugin in Deepdata.
"DEEPDATA supports a wide range of functionality to extract data from victims' systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems," researchers explained. "However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client's process.”
The researchers further stated that "the FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory." Meanwhile, LightSpy is a command-and-control spyware that has previously been linked to campaigns targeting Hong Kong citizens. The malware is generally employed in attacks on Android, iOS, and macOS devices, so it's noteworthy that Volexity received files of a Windows edition.