CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report

The DeepData malware framework was seen exploiting a Fortinet VPN client for Windows zero-day that remains unpatched.

The recently detailed DeepData malware framework was caught exploiting a zero-day vulnerability in the Fortinet VPN client for Windows to steal credentials, cybersecurity firm Volexity reports.

DeepData is a surveillance framework that relies on multiple plugins to target sensitive information stored in browsers, communication applications, and password managers, and which can record audio using the system’s microphone.

According to BlackBerry, both DeepData and the LightSpy iOS malware have been used by China-lined advanced persistent threat (APT) actor APT41 to spy on journalists, politicians, and political activists in Southeast Asia.

On Friday, Volexity revealed that DeepData was seen targeting Fortinet’s Windows VPN client to extract usernames, passwords, and other information from the process’ memory, by exploiting a zero-day vulnerability.

The bug, reported to Fortinet in July, when it was confirmed to be affecting the latest iteration of Fortinet’s VPN available at the time, does not have a CVE identifier and appears to have remained unpatched, the cybersecurity firm says.

SecurityWeek has emailed Fortinet for a statement on the matter and will update this article as soon as a reply arrives.

Volexity also notes that the DeepData framework has been developed by a China-linked state-sponsored threat actor tracked as BrazenBamboo, which has also created LightSpy and the DeepPost post-exploitation data exfiltration tool.

The cybersecurity firm has observed similarities between DeepData and LightSpy, including plugin file and function names, shared program database development paths, shared formatting for certain JSON files, similar plugin code execution flaws, and infrastructure overlaps.

Advertisement. Scroll to continue reading.

“Volexity tracks BrazenBamboo as the developer of these malware families and not necessarily one of the operators using them (there may be many). Volexity has also identified a new Windows variant of LightSpy that was not previously documented at the time of writing,” Volexity says.

The cybersecurity firm also draws attention to a Windows variant of the LightSpy malware, which has been used in attacks alongside the known iOS, Android, and macOS variants, noting that the DragonEgg Android spyware that Lookout detailed last year is, in fact, LightSpy.

The Windows variant of the spyware has a different architecture than the other documented iterations, is executed by a shellcode in memory, uses WebSocket and HTTPS for communication, and consists of an orchestrator and plugins.

Most of the malware’s code is executed in memory, and the observed plugins have the same data collection and user surveillance capabilities previously associated with LightSpy.

Volexity identified roughly 30 command-and-control (C&C) servers hosting DeepData and LightSpy, along with additional infrastructure that BrazenBamboo has been using to host other tools and applications that are not directly linked to these malware families.

“Volexity’s analysis provides evidence that BrazenBamboo is a well-resourced threat actor who maintains multi-platform capabilities with operational longevity. The breadth and maturity of their capabilities indicates both a capable development function and operational requirements driving development output,” the cybersecurity firm notes.

Related: LightSpy Spyware Operation Expands to Windows

Related: FBI Seeking Information on Chinese Hackers Targeting Sophos Firewalls

Related: China Says It’s Looking Into Report of Spy Balloon Over US

Related: China Tightens Control Over Company Data With Transfer Rules

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.