Chinese threat actors, known as “BrazenBamboo,” are exploiting a zero-day vulnerability in Fortinet’s FortiClient Windows VPN client using a custom post-exploitation toolkit named “DeepData.”

This vulnerability enables attackers to steal VPN credentials, including usernames, passwords, and server details, by dumping them from the application’s memory after user authentication.

The flaw was discovered by Volexity researchers in mid-July 2024, who reported it to Fortinet on July 18. Despite acknowledging the issue on July 24, Fortinet has yet to release a patch, and no CVE has been assigned.

Buy Me a Coffee

This vulnerability mirrors a 2016 flaw that left credentials in memory but is unique to recent FortiClient releases, including version 7.4.0, suggesting it stems from recent software updates.

How It Works:
DeepData locates JSON objects in FortiClient’s memory that store sensitive information like VPN credentials and exfiltrates this data to attackers’ servers using another malware, DeepPost. These compromised VPN credentials allow BrazenBamboo to gain initial access to corporate networks, expand laterally, and conduct extensive espionage operations.

While Fortinet has not provided a response or timeline for a patch, organizations should remain vigilant and monitor updates from both Fortinet and cybersecurity researchers. Indicators of compromise associated with BrazenBamboo’s campaign are available for further analysis.

READ
High-Severity Vulnerability in WPForms Plugin Could Impact Over 6 Million Websites