Technology

Update now — Fortinet Windows VPN hacked to steal user data

November 20, 2024

Researchers spot Chinese threat actor stealing login credentials from Fortinet VPN
Thefts carried out with the help of a vulnerability discovered in 2023
The bug is yet to be addressed, or even assigned a CVE

Cybersecurity researchers has revealed that for months now, Fortinet’s Windows VPN client has been vulnerable to a flaw which allows threat actors to steal user credentials – and Chinese hackers have reportedly now started exploiting the bug and stealing the data.

Experts from Volexity have published an in-depth report on a piece of malware called DeepData. This malware was used by a Chinese threat actor known as BrazenBamboo to steal login credentials, and VPN server information from Fortinet VPNs.

As the experts explain, after a user logs into the VPN, user credentials remain in process memory. DeepData can find and decrypt JSON objects in the client’s process memory, effectively stealing the information. As a final step, DeepData can exfiltrate the information to a server under the attackers’ control.

BrazenBamboo

Volexity found the vulnerability in early July 2024, and reported it to Fortinet. The company acknowledged the issue on July 24, however, it never acted on the findings, and the vulnerability is still unresolved. It was not even assigned a CVE number, and there is no indication when a fix might be available, if ever.

The findings are disturbing since Fortinet’s VPNs are used by many organizations of all sizes, all across the world. By obtaining login credentials, cybercriminals can gain access to company networks, which allows them to move laterally, steal more information, and potentially even deploy ransomware.

Until a patch is made available, Volexity advises users to restrict VPN access, and keep both eyes peeled for unusual login activity.

BrazenBamboo seems to be a state-sponsored threat actor, meaning it’s on China’s payroll. The researchers believe the group was the one to develop three known malware families, Lightspy, DeepData, and DeepPost. Unlike North Korean groups, who don’t shy away from deploying ransomware or other destructive malware, Chinese groups are mostly interested in cyber-espionage, and as such are usually trying their best to remain hidden for as long as possible.

Via BleepingComputer

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar