Fortinet VPN zero-day exploited by Chinese threat actor

Category	Details
Threat Actors	BrazenBamboo (China-linked threat actor).
Campaign Overview	Exploiting a zero-day vulnerability in Fortinet’s FortiClient VPN for Windows to extract credentials, VPN server details, and gain initial access for espionage.
Target Regions	Likely global, targeting corporate networks using Fortinet VPN solutions.
Methodology	Exploitation of FortiClient VPN zero-day vulnerability; use of DeepData tool for credential theft, browser data extraction, and social media data theft.
Product Targeted	Fortinet FortiClient VPN for Windows, FortiManager servers (via FortiJump), Fortinet devices (historically exploited vulnerabilities).
Malware Reference	DeepData (post-exploitation tool), FortiJump.
Tools Used	DeepData with plugins for credential theft, audio recording, browser data extraction, and social media data theft.
Vulnerabilities Exploited	FortiClient VPN zero-day (unpatched as of November 2024); CVE-2024-47575 (“FortiJump”), CVE-2022-42475 (FortiOS RCE vulnerability previously exploited).
TTPs	Credential theft from memory, post-exploitation tools, RCE vulnerabilities, initial access via VPN zero-days, exfiltration of sensitive configuration data.
Attribution	China-linked threat actor (BrazenBamboo).
Recommendations	Restrict VPN access to trusted IPs; monitor login activity for anomalies; review Field Effect MDR notifications; wait for patch release from Fortinet.
Source	Field Effect

Disclaimer: The above summary has been generated by an AI language model

Recent Posts