BleepingComputer reports that Chinese threat operation BrazenBamboo has sought to compromise VPN credentials in a new attack campaign leveraging the DeepData post-exploitation toolkit to target a Fortinet FortiClient zero-day, which stems from the software's unsuccessful removal of memory-stored sensitive details.
Integration of a Fortinet plugin exploiting the yet-to-be-patched zero-day into its newest iteration has enabled DeepData to facilitate the identification and decryption of credentials and server details from VPN process memory-stored JSON objects, which are then exfiltrated by the DeepPost malware, according to a Volexity report. BrazenBamboo could then utilize the obtained information to infiltrate corporate networks and conduct farther reaching espionage operations, Volexity researchers said. Organizations using the most recent iterations of Fortinet FortiClient have been urged by researchers to limit VPN access and track atypical login activity while waiting for an official fix from Fortinet to avoid potential compromise in BrazenBamboo attacks.
