FortiClient Vulnerability in Windows Systems — Exploitation to Steal VPN Credentials via DEEPDATA
FortiClient Vulnerability in Windows Systems — Exploitation to Steal VPN Credentials via DEEPDATA
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
Intro
Threat intelligence vendor Volexity published research Friday that referenced a new zero-day vulnerability — one without a current CVE designation — that has enabled threat actors tracked as “BrazenBamboo” to steal credentials in instances of Fortinet’s Windows VPN client, FortiClient.
In this article we recommend detection rules to detect and alert on this exploit.
Malware Analysis
DEEPDATA post-exploitation tool
Volexity’s analysis began with discovery of an archive file named deepdata[.]zip, file hash:
SHA256:666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724
Detection rule:
- Source: Wazuh Syscheck module
- Rule ID: 554 (File added to the system.)
<rule id="xxxx" level="12">
<if_sid>554</if_sid>
<field name="sha256_after">^666a4c569d435d0e6bf9fa4d337d1bf014952b42cc6d20e797db6c9df92dd724$</field>
<description>Suspicious file added to the system.</description>
</rule>
</group>
The DEEPDATA malware elements include the following:
- data.dll DEEPDATA Loader
- mod.dat DEEPDATA Virtual File System (VFS)
- readme.txt File containing DEEPDATA Execution Options
Execution:
Detection rule:
- Source: Sysmon Evt 1 (Process creation)
- Process image + CMDLine
<rule id="xxxx" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)rundll32\.exe</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)data\.dll</field>
<options>no_full_log</options>
<description>Suspicious rundll32 Execution</description>
</rule>
DEEPPOST post-exploitation exfiltration tool
Syntax:
localupload.exe c:\data_to_exfiltrate\ ip:port
Detection rule:
- Source: Sysmon Evt 1 (Process creation)
- Process image
<rule id="xxxx" level="12">
<if_group>sysmon_event1</if_group>
<field name="win.eventdata.originalFileName" type="pcre2">(?i)localupload\.exe</field>
<options>no_full_log</options>
<description>DeepPost Exfiltration Tool Detected</description>
</rule>
DEEPDATA C2 Infrastructure
Several C2 IP addresses mentioned in public reporting have overlaps with DEEPDATA infrastructure, including the following:
103.27.109[.]217
103.27.108[.]207
121.201.109[.]98
Detection rule:
- Source: Sysmon Evt 3 (Network Connection)
- DST IPs + DST Ports
<rule id="xxxx" level="12">
<if_group>sysmon_event3</if_group>
<field name="win.eventdata.destinationIp" type="pcre2">^103\.27\.109\.217$|^103\.27\.108\.207$|^121\.201\.109\.98$</field>
<field name="win.eventdata.destinationPort">^28443$|^28992$|^28993$</field>
<options>no_full_log</options>
<description>DeepPost Exfiltration Tool Detected</description>
</rule>
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
目录
最新
- SOCFortress: Reflecting on 2024 Achievements and Our Roadmap for 2025
- SOCFortress Integrations — FortiEMS (Fortinet Endpoint Management Server)
- Enhancing CoPilot with VirusTotal Integration: A Step-by-Step Guide
- FortiClient Vulnerability in Windows Systems — Exploitation to Steal VPN Credentials via DEEPDATA
- CVE-2024–0012 PAN-OS: Authentication Bypass in the Management Web Interface
- 2023 Top Routinely Exploited Vulnerabilities
- Enhancing Wazuh Efficiency with AI: Meet the New AI Analyst in SOCFortress CoPilot
- SOCFortress Integrations — IBM Hardware Management Console (HMC)