Blog Details

  • Home
  • Blog
  • BrazenBamboo Exploits FortiClient Zero-Day to Steal VPN Credentials
BrazenBamboo Exploits FortiClient Zero-Day to Steal VPN Credentials

BrazenBamboo Exploits FortiClient Zero-Day to Steal VPN Credentials

A newly disclosed zero-day vulnerability in Fortinet's FortiClient for Windows has been exploited by a threat actor known as BrazenBamboo to steal VPN credentials. This exploitation is part of a sophisticated malware framework called DEEPDATA, researchers at Volexity revealed.

Who is BrazenBamboo?

BrazenBamboo is a China-linked threat actor with a history of developing advanced cyber espionage tools, including:

  1. DEEPDATA: A modular tool for post-exploitation on Windows.
  2. DEEPPOST: A data exfiltration framework.
  3. LightSpy: A spyware platform targeting macOS, iOS, and Windows.

The Exploitation Process

The zero-day vulnerability, reported by Volexity in July 2024, allows BrazenBamboo to extract VPN credentials from FortiClient by exploiting the process memory. At the core of DEEPDATA is a DLL loader (data.dll), which decrypts and launches multiple plugins via an orchestrator module (frame.dll).

Key Findings:

  1. FortiClient Plugin: A previously undocumented DLL designed to capture VPN credentials.
  2. Dynamic Architecture: Utilizes plugins for credential theft, data exfiltration, and stealthy communication via WebSocket and HTTPS.

Despite disclosure to Fortinet, the vulnerability remains unpatched, leaving users exposed to potential attacks.

Expanding Threat Capabilities

BrazenBamboo’s tools are interconnected, with LightSpy sharing code and infrastructure with DEEPDATA, suggesting a private enterprise developing malware for state-sponsored operations. LightSpy’s Windows variant incorporates plugins for:

  1. Webcam recording
  2. Keystroke logging
  3. Screen captures
  4. Audio and browser data collection

The orchestrator behind LightSpy, BH_A006, has historical links to the suspected Chinese group Space Pirates, known for targeting Russian entities.

Implications of the Attack

The DEEPDATA and DEEPPOST frameworks expand BrazenBamboo’s espionage capabilities, with potential impacts including:

  1. Sensitive Data Theft: VPN credentials, application passwords, and communications data.
  2. Strategic Targeting: Focus on platforms like WhatsApp, Telegram, Signal, and more.
  3. Cross-Platform Espionage: Enhanced capabilities for Windows, macOS, and iOS.

Recommendations for Organizations

Given the severity of the vulnerability, organizations are advised to:

  1. Monitor for unusual activity on FortiClient.
  2. Implement network segmentation to limit access to sensitive systems.
  3. Use endpoint detection and response (EDR) tools to identify malware activity.
  4. Regularly patch and update software as fixes are released.

The Bigger Picture

BrazenBamboo’s operational longevity and multi-platform capabilities underscore the need for robust cybersecurity defenses. As state-sponsored actors continue to refine their techniques, staying ahead of the threat curve is critical for organizations globally.

 

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067