Chinese APT exploited unpatched Fortinet zero-day flaw

A Chinese state-sponsored actor exploited an unpatched, undisclosed Fortinet vulnerability, despite the flaw being reported to the security vendor in July.

Threat intelligence vendor Volexity published research Friday that referenced a new zero-day vulnerability -- one without a current CVE designation -- that has enabled a Chinese state-sponsored actor tracked as "BrazenBamboo" to steal credentials in instances of Fortinet's Windows VPN client, FortiClient. Perhaps most notably, Volexity said it reported the flaw to Fortinet on July 18, with the latter acknowledging the report on July 24. "At the time of writing, this issue remains unresolved, and Volexity is not aware of an assigned CVE number," Volexity researchers Callum Roxan, Charlie Gardner and Paul Rascagneres wrote in the blog post.

Volexity's report does not include a description of the vulnerability itself. The researchers wrote that it's a "zero-day credential disclosure vulnerability in Fortinet's Windows VPN client that allowed credentials to be stolen from the memory of the client's process." The blog also includes YARA rules, indicators of compromise and a deep dive into BrazenBamboo's "Deepdata" post-exploitation tool, which was used in threat activity against the vulnerability.

Roxan, Gardner and Rascagneres wrote that their analysis began with the discovery of an archive file tied to BrazenBamboo, which may be connected to a notorious Chinese advanced persistent threat (APT) group. The researchers found files in the archive connected to Windows malware families dubbed "Deepdata" and "Deeppost," as well as a Windows variant of LightSpy malware.

Volexity researchers described Deepdata as a modular tool for Windows that "facilitates collection of sensitive information from a compromised system," and requires command-line access to a target system by the attacker. It includes a loader and a virtual files system. Deeppost, similarly, is a post-exploitation data exfiltration tool that is used to transfer files to a remote system.

Volexity researchers found the Fortinet zero day upon the discovery of a FortiClient plugin in Deepdata.

"DEEPDATA supports a wide range of functionality to extract data from victims' systems. The observed functionality of several plugins is commonly seen and includes items typically stolen from victim systems," researchers wrote. "However, Volexity noted the FortiClient plugin was uncommon and investigated it further. Volexity found the FortiClient plugin was included through a library with the filename msenvico.dll. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows that allows it to extract the credentials for the user from memory of the client's process."

Additionally, the researchers said that "the FortiClient plugin looks for the username, password, remote gateway, and port from two different JSON objects in memory."

LightSpy, meanwhile, is a command-and-control malware previously documented in campaigns targeting individuals in Hong Kong. The malware is primarily used in attacks against Android, iOS and macOS devices, making it notable that Volexity obtained copies of a variant native to Windows.

"In contrast to other LIGHTSPY variants, the Windows variant was not encoded with the same incremental XOR algorithm," Roxan, Gardner and Rascagneres wrote. "Rather, it was encoded with a more complex algorithm that also included padding at the beginning of the files. The architecture for the Windows variant of LIGHTSPY is different from other documented OS variants. This variant is deployed by an installer that deploys a library to execute shellcode in memory. The shellcode downloads and decodes the orchestrator component from the C2 server (pic32.png for x86 and pic64.png for x64 architecture)."

ThreatFabric and Blackberry covered LightSpy in recent research posts. In Blackberry's blog post last week, the vendor said it attributed the development of LightSpy and Deepdata with a high level of confidence to a threat actor associate with APT41, a prolific Chinese nation-state threat group.

Fortinet did not respond to TechTarget Editorial's request for comment.

Regarding Fortinet's lack of disclosure, Rascagneres said in an email that "Volexity understands that Fortinet intends to fix the issue but does not have a timeline for when this fix will occur."

"Volexity notified Fortinet PSIRT on July 18, 2024. Fortinet replied that they could reproduce the exploit and would assign a CVE when the patch is released," he told TechTarget Editorial. "Since Fortinet has not yet released a patch, there is currently no CVE. Volexity anticipates that a CVE will eventually be assigned. As the vulnerability is currently being exploited, and a report was publicly released by BlackBerry on the DEEPDATA framework, Volexity decided to notify the community."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.