TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

mindgrub · 2024-11-15 · Read original ↗

ATT&CK techniques detected

17 predictions
T1555.003Credentials from Web Browsers
99%
“files recursively from a base location. systeminfo gather basic enumeration information from the compromised device. tdmonitor hook telegram to retrieve messages from the application. webbrowser collect history, cookies, and passwords from firefox, chrome, opera, and edge web bro…”
T1056.001Keylogging
99%
“request is copy - pasted from the macos variant, as shown below. the orchestrator expects all plugins to export the following functions : executecommand getplugincommandid getpluginname initial stopcommand time uninitial unlike the macos variant, most of the code in the windows v…”
T1055.001Dynamic-link Library Injection
95%
“deepdata malware family stored in the local vfs file ( mod. dat ). these components will always execute and are not dependent on additional parameters passed on the command line. the core components of deepdata include the following files : filename purpose frame. dll shellcode –…”
T1555.003Credentials from Web Browsers
94%
“a wide range of functionality to extract data from victims ’ systems. the observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems. however, volexity noted the forticlient plugin was uncommon and investigated it further. v…”
T1555.003Credentials from Web Browsers
94%
“summarized below : plugin name plugin capabilities accountinfo steal credentials from 18 different sources on the compromised device. appdata collect data from wechat, whatsapp and signal on the compromised device. audio record audio on compromised devices. chatindexeddb steal da…”
T1555.003Credentials from Web Browsers
93%
“brazenbamboo weaponizes forticlient vulnerability to steal vpn credentials via deepdata [ update : at the time of publication, this vulnerability had not been addressed by fortinet. on december 18, 2024, fortinet published a public acknowledgement of the issue, affected versions,…”
T1555.003Credentials from Web Browsers
92%
“a zero - day credential disclosure vulnerability in fortinet ’ s windows vpn client that allowed credentials to be stolen from the memory of the client ’ s process. this vulnerability was discovered while analyzing a recent sample of the deepdata malware family. deepdata is a mod…”
T1555.003Credentials from Web Browsers
92%
“and august 2024. volexity network security monitoring customers are also automatically covered through signatures and deployed detections from the threats and iocs described in this post. if you are interested in learning more about volexity products and services, please do not h…”
T1056.001Keylogging
91%
““ broadband account mac “. if the file already exists, the dns request is not performed. this udp handshake is unique to the windows variant. like its counterparts, the windows variant of lightspy uses websocket and https for communication, with websocket used for most json - bas…”
T1055.001Dynamic-link Library Injection
90%
“deepdata loader mod. dat deepdata virtual file system ( vfs ) readme. txt file containing deepdata execution options the readme. txt file describes how to execute the deepdata loader, along with available parameters and a decryption key. the key parameter is used by the deepdata …”
T1555.003Credentials from Web Browsers
85%
“##il mailbox, etc. ) " } " }, { " id " : 4, " time " : " 2022 - 04 - 25122318 ", " content " : " { " title " : " v1. 1. 0 ", " text " : " 1. add target basic information collection, including machine name, ip address, mac address, brand, model, operating system, resolution, memor…”
T1056.001Keylogging
79%
“c2 server keyboard records keystrokes screen records the user ’ s screen using the libavcodev library software collects information on installed software and manages services terminal provides a remote shell for the threat actor to execute commands video records webcam and audio …”
T1041Exfiltration Over C2 Channel
75%
“( 633344 bytes ) file type application / x - dosexec md5 533297a7084039bf6bda702b752e6b82 sha1 20214e2e93b1bb37108aa1b8666f6406fabca8a0 sha256 f4e72145e761bcc8226353bb121eb8e549dc0000c6535bfa627795351037dc8e virustotal first submitted n / a deeppost supports the following syntax …”
T1555.003Credentials from Web Browsers
70%
“contains deepdata configuration information manifest. json contains deepdata plugin information manifest1. json contains deepdata plugin information date. ini purpose unclear, contains a single byte of 0x30 the manifest. json file is also stored on the c2 server but in an unencry…”
T1552.004Private Keys
56%
“. 27. 109 [. ] 217 huntress ’ s & threatfabric ’ s macos reports shares a self - signed tls certificate with all currently active deepdata c2 servers 103. 27. 108 [. ] 207 threatfabric ’ s mobile report shares a self - signed tls certificate with all currently active deepdata c2 …”
T1095Non-Application Layer Protocol
47%
“available at the time of discovery ( v7. 4. 0 ). notably, the same approach does not work against older versions of the fortinet vpn client. volexity reported this vulnerability to fortinet on july 18, 2024, and fortinet acknowledged the issue on july 24, 2024. at the time of wri…”
T1555.003Credentials from Web Browsers
39%
“the account. rec0 file squirrelsql on disk, by reading the sqlaliases23. xml file dbvisualizer on disk, by reading the dbvis. xml file openssh on disk, by reading the config and the ssh key files mobaxterm in registry winscp in registry securecrt on disk, by reading the configura…”

Summary

[Update: At the time of publication, this vulnerability had not been addressed by Fortinet. On December 18, 2024, Fortinet published a public acknowledgement of the issue, affected versions, as well […]

The post BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA appeared first on Volexity.