Notices by Volexity :verified: (volexity@infosec.exchange)

Embed this notice
Volexity :verified: (volexity@infosec.exchange)'s status on Saturday, 16-Nov-2024 05:03:18 JST Volexity :verified:
- Volexity :verified:
@volexity has published a blog post about BrazenBamboo, the Chinese threat actor behind the LIGHTSPY and DEEPDATA malware families. This blog post details a FortiClient vulnerability used in the DEEPDATA malware, where user VPN credentials are left in plaintext in memory long after a user has authenticated. Read more here: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata
#dfir #threatintel
In conversation about 4 months ago from infosec.exchange permalink
Attachments
1. Untitled attachment
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/488/746/998/081/346/original/8c26d7c6f5a78e67.png
2. Domain not in remote thumbnail source whitelist: www.volexity.com
  
  BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
  
  from Volexity
  
  In July 2024, Volexity identified exploitation of a zero-day credential disclosure vulnerability in Fortinet’s Windows VPN client that allowed credentials to be stolen from the memory of the client’s process. This vulnerability was discovered while analyzing a recent sample of the DEEPDATA malware family. DEEPDATA is a modular post-exploitation tool for the Windows operating system that is used to gather a wide range of information from target devices. Analysis of the sample revealed a plugin that was designed to extract credentials from FortiClient VPN client process memory. On July 18, 2024, Volexity notified Fortinet about this vulnerability. At the time of writing, the issue remains unresolved.

Public

Notices by Volexity :verified: (volexity@infosec.exchange)

User actions

Following 0

Followers 0

Groups 0

Statistics

Feeds