#FactCheck - Edited Video Falsely Claims as an attack on PM Netanyahu in the Israeli Senate

Executive Summary:

BrazenBamboo’s DEEPDATA malware represents a new wave of advanced cyber espionage tools, exploiting a zero-day vulnerability in Fortinet FortiClient to extract VPN credentials and sensitive data through fileless malware techniques and secure C2 communications. With its modular design, DEEPDATA targets browsers, messaging apps, and password stores, while leveraging reflective DLL injection and encrypted DNS to evade detection. Cross-platform compatibility with tools like DEEPPOST and LightSpy highlights a coordinated development effort, enhancing its espionage capabilities. To mitigate such threats, organizations must enforce network segmentation, deploy advanced monitoring tools, patch vulnerabilities promptly, and implement robust endpoint protection. Vendors are urged to adopt security-by-design practices and incentivize vulnerability reporting, as vigilance and proactive planning are critical to combating this sophisticated threat landscape.

Introduction

The increased use of zero-day vulnerabilities by more complex threat actors reinforces the importance of more developed countermeasures. One of the threat actors identified is BrazenBamboo uses a zero-day vulnerability in Fortinet FortiClient for Windows through the DEEPDATA advanced malware framework. This research explores technical details about DEEPDATA, the tricks used in its operations, and its other effects.

Technical Findings

1. Vulnerability Exploitation Mechanism

The vulnerability in Fortinet’s FortiClient lies in its failure to securely handle sensitive information in memory. DEEPDATA capitalises on this flaw via a specialised plugin, which:

• Accesses the VPN client’s process memory.
• Extracts unencrypted VPN credentials from memory, bypassing typical security protections.
• Transfers credentials to a remote C2 server via encrypted communication channels.

2. Modular Architecture

DEEPDATA exhibits a highly modular design, with its core components comprising:

• Loader Module (data.dll): Decrypts and executes other payloads.
• Orchestrator Module (frame.dll): Manages the execution of multiple plugins.
• FortiClient Plugin: Specifically designed to target Fortinet’s VPN client.

Each plugin operates independently, allowing flexibility in attack strategies depending on the target system.

3. Command-and-Control (C2) Communication

DEEPDATA establishes secure channels to its C2 infrastructure using WebSocket and HTTPS protocols, enabling stealthy exfiltration of harvested data. Technical analysis of network traffic revealed:

• Dynamic IP switching for C2 servers to evade detection.
• Use of Domain Fronting, hiding C2 communication within legitimate HTTPS traffic.
• Time-based communication intervals to minimise anomalies in network behavior.

4. Advanced Credential Harvesting Techniques

Beyond VPN credentials, DEEPDATA is capable of:

• Dumping password stores from popular browsers, such as Chrome, Firefox, and Edge.
• Extracting application-level credentials from messaging apps like WhatsApp, Telegram, and Skype.
• Intercepting credentials stored in local databases used by apps like KeePass and Microsoft Outlook.

5. Persistence Mechanisms

To maintain long-term access, DEEPDATA employs sophisticated persistence techniques:

• Registry-based persistence: Modifies Windows registry keys to reload itself upon system reboot.
• DLL Hijacking: Substitutes legitimate DLLs with malicious ones to execute during normal application operations.
• Scheduled Tasks and Services: Configures scheduled tasks to periodically execute the malware, ensuring continuous operation even if detected and partially removed.

Additional Tools in BrazenBamboo’s Arsenal

1. DEEPPOST

A complementary tool used for data exfiltration, DEEPPOST facilitates the transfer of sensitive files, including system logs, captured credentials, and recorded user activities, to remote endpoints.

2. LightSpy Variants

• The Windows variant includes a lightweight installer that downloads orchestrators and plugins, expanding espionage capabilities across platforms.
• Shellcode-based execution ensures that LightSpy’s payload operates entirely in memory, minimising artifacts on the disk.

3. Cross-Platform Overlaps

BrazenBamboo’s shared codebase across DEEPDATA, DEEPPOST, and LightSpy points to a centralised development effort, possibly linked to a Digital Quartermaster framework. This shared ecosystem enhances their ability to operate efficiently across macOS, iOS, and Windows systems.

Notable Attack Techniques

1. Memory Injection and Data Extraction

Using Reflective DLL Injection, DEEPDATA injects itself into legitimate processes, avoiding detection by traditional antivirus solutions.

• Memory Scraping: Captures credentials and sensitive information in real-time.
• Volatile Data Extraction: Extracts transient data that only exists in memory during specific application states.

2. Fileless Malware Techniques

DEEPDATA leverages fileless infection methods, where its payload operates exclusively in memory, leaving minimal traces on the system. This complicates post-incident forensic investigations.

3. Network Layer Evasion

By utilising encrypted DNS queries and certificate pinning, DEEPDATA ensures that network-level defenses like intrusion detection systems (IDS) and firewalls are ineffective in blocking its communications.

Recommendations

1. For Organisations

• Apply Network Segmentation: Isolate VPN servers from critical assets.
• Enhance Monitoring Tools: Deploy behavioral analysis tools that detect anomalous processes and memory scraping activities.
• Regularly Update and Patch Software: Although Fortinet has yet to patch this vulnerability, organisations must remain vigilant and apply fixes as soon as they are released.

2. For Security Teams

• Harden Endpoint Protections: Implement tools like Memory Integrity Protection to prevent unauthorised memory access.
• Use Network Sandboxing: Monitor and analyse outgoing network traffic for unusual behaviors.
• Threat Hunting: Proactively search for indicators of compromise (IOCs) such as unauthorised DLLs (data.dll, frame.dll) or C2 communications over non-standard intervals.

3. For Vendors

• Implement Security by Design: Adopt advanced memory protection mechanisms to prevent credential leakage.
• Bug Bounty Programs: Encourage researchers to report vulnerabilities, accelerating patch development.

Conclusion

DEEPDATA is a form of cyber espionage and represents the next generation of tools that are more advanced and tunned for stealth, modularity and persistence. While Brazen Bamboo is in the process of fine-tuning its strategies, the organisations and vendors have to be more careful and be ready to respond to these tricks. The continuous updating, the ability to detect the threats and a proper plan on how to deal with incidents are crucial in combating the attacks.

References:

1. https://thehackernews.com/2024/11/warning-deepdata-malware-exploiting.html‍
2. http://www.theregister.com/2024/11/19/china_brazenbamboo_fortinet_0day/

Introduction

In today's era of digitalised community and connections, social media has become an integral part of our lives. we use social media to connect with our friends and family, and social media is also used for business purposes. Social media offers us numerous opportunities and ease to connect and communicate with larger communities. While it also poses some challenges, while we use social media, we come across issues such as inappropriate content, online harassment, online stalking, account hacking, misuse of personal information or data,  privacy issues, fake accounts, Intellectual property violation issues, abusive and dishearted content, content against the terms and condition policy of the platform and more. To deal with such issues, social media entities have proper reporting mechanisms and set terms and conditions guidelines to effectively prevent such issues and by addressing them in the best possible way by platform help centre or reporting mechanism.

‍

The Role of Help Centers in Resolving User Complaints:

The help centres are established on platforms to address user complaints and provide satisfactory assistance or resolution. Addressing user complaints is a key component of maintaining a safe and secure digital environment for users. Platform-centric help centres play a vital role in providing users with a resource to seek assistance and report their issues.

‍

Some common issues reported on social media:

‍

• Reporting abusive content: Users can report content that they find abusive, offensive, or in violation of platform policies. These reports are reviewed by the help centre.
• Reporting CSAM (Child Sexual Abuse Material): CSAM content can be reported to platform help centre. Social media platforms have stringent policies in place to address such concerns and ensure a safe digital environment for everyone, including children.
• Reporting Misinformation or Fake News: With the proliferation of misinformation online, users can report content that they find or suspect misleading or false information and Fact-checking bodies are employed to assess the accuracy of reported content.
• Content violating intellectual property rights: If there is a violation or infringement of any intellectual property work, it can be reported on the platform. 
• Violence of commercial policies: Products listed on social media platforms are also needed to comply with the platform’s  Commercial Policies.

‍

Submitting a Complaint to the Indian Grievance Officer for Facebook:

A user can report his issue through the below-mentioned websites:

• https://www.facebook.com/help/contact/278770247037228

• https://www.facebook.com/help/263149623790594

‍

The user can go to the Facebook Help Center, where go to the "Reporting a Problem” section, then by clicking on Reporting a Problem, Choose the Appropriate Issue that best describes your complaint. For example, if you have encountered inappropriate or abusive content, select the ‘I found inappropriate or abusive content’ option.

‍

Here is a list of issues which you can report on Facebook:

• My account has been hacked.
• I've lost access to a page or a group I used to manage.
• I've found a fake profile or a profile that's pretending to be me.
• I am being bullied or harassed.
• I found inappropriate or abusive content.
• I want to report content showing me in nudity/partial nudity or in a sexual act.
• I (or someone I am legally responsible for) appear in content that I do not want to be displayed.
• I am a law enforcement official seeking to access user data.
• I am a government official or a court officer seeking to submit an order, notice or direction.
• I want to download my personal data or report an issue with how Facebook is processing my data.
• I want to report an Intellectual Property infringement.
• I want to report another issue.

‍

Then, describe your issues and attach supporting evidence such as screenshots, then submit your report. After submitting a report, you will receive a confirmation that your report has been submitted to the platform. The platform will review the complaint within the stipulated time period, and users can also check the status of their filed complaint. Appropriate action will be taken by platforms after reviewing such complaints. If it violates any standard policy, terms & conditions, or privacy policies of the platform, the platform will take down that content or will take any other appropriate action.

‍

Conclusion: 

It is important to be aware of your rights in a digital landscape and report such issues to the platform. It is essential to understand how to report your issues or grievances on social media platforms effectively. By using the help centre or reporting mechanism of the platform, users can effectively file their complaints on the platform and contribute to a safer and more responsible online environment. Social media platforms have their compliance framework and privacy and policy guidelines in place to ensure the compliance framework for community standards and legal requirements. So, whenever you encounter an issue on social media, report it on the platform and contribute to a safer digital environment on social media platforms.

‍

References: 

• https://www.cyberyodha.org/2023/09/how-to-submit-complaint-to-indian.html
• https://transparency.fb.com/en-gb/enforcement/taking-action/complaints-handling-process/
• https://www.facebook.com/help/contact/278770247037228
• https://www.facebook.com/help/263149623790594

‍

Introduction:

The Indian Ministry of Communications has come up with a feature known as "Quick SMS Header Information" to provide citizens with more control over their messaging services. This feature would help users access crucial information about the sender through text message, therefore making the details readily available at their fingertips.

The Quick SMS Header service is the key to providing users with the feature to ensure that they are receiving messages from the correct source. Users can instantly learn all the necessary data about the sender of a certain SMS. This data is invaluable for making the distinction between real messages and suspicious spam or phishing, so the user can have a higher level of defense against online threats and scam activities.

Importance of Checking the Header:

1. Authenticity Verification: SMS header data represents another way to confirm the sender. This feature keeps the end user from wrongly assuming that the SMS is from a trusted source or an unknown sender. Hence, the end user is able to make a choice about the authenticity of the message.

2. Mitigating Spam and Phishing: The rise of SMS and phishing scams has created some significant hurdles for users in the process of differentiating between real and fake messages. Through the Quick SMS Header Information service, people will be able to look up any suspicious messages in order to be able to take appropriate steps to prevent links that lead to malicious websites or requests for personal information.

3. Enhancing User Security: The SMS header information plays an important role in ensuring that the user is secure and has no privacy issues.  The checking of the message headers will help us limit the possibilities of bad activities and reduce the chances of being a victim of cybercriminals.

4. Empowering Consumer Awareness: This feature is designed to encourage the people involved  to take responsibility for the security of their devices and establish a safer and more dependable digital platform.

Benefits:

• Enhanced Transparency: By giving access to the header information to the users, it is transparency that is promoted within the telecommunications ecosystem.
• Empowered Decision-Making: Now that users have information about the SMS header, they can make informed decisions regarding their communications and privacy.
• Efficient Resolution of Concerns: The Quick SMS Header Information serves the purpose of providing the needed resolution by telling us the message’s origin in cases where users come across any suspicious messages.
• User-Friendly Interface: With its easy and clear process, this feature caters to users of all technical proficiency levels, ensuring accessibility for all.

Working:

1. Compose Your SMS: Write a message with the header you wish to find the information about. For example, if you want to know details about a header labeled "SBIINB," your SMS should be in the format "DETAILS OF SBIINB." Note, all letters are in capital only.

2. Send it to 1909: Once your message is ready, send it to: 1909. Please note, this may charge you depending upon your current plan. 

3. Receive Response: The response to your SMS will be sent to you by the concerned telecommunication service provider or directly by 1909, a few seconds after you have sent your message. This response will have the data associated with the header above.

Another method to find SMS header information:

TRAI (Telecom Regulatory Authority of India) has made a tool on the webpage (https://smsheader.trai.gov.in/) to check for the SMS header associated with the message. 

TRAI has also mandated header registration for messages pertaining to transactional or promotional purposes. This has helped people identify the SMS header by simply looking into the database as made by TRAI.

Steps:

1. Go to https://smsheader.trai.gov.in/. The page looks like as shown below:

‍

2. Enter your Email, Name and complete the captcha under the Download/View Header Details and click on continue

‍

3. Enter the OTP received on your email with the captcha and click on continue

4. Now enter your SMS header in the format of AA-AAAA, where “AA” is your prefix and “AAAA” is your header name. For example, we have taken “AX-HDFCBK” as our sample header, so “AX” is our prefix and “HDFCBK” is our header name.

5. As soon as we press enter, the site returns the query with the information of the header, as shown below

Conclusion:

The importance of checking SMS headers is something that simply cannot be overemphasized. This is the principal procedure for identifying incoming messages as authentic, and on that basis, the users are able to make informed choices about the messages they receive. It also contributes to the rise of user safety and privacy.

The development of more transparent controls and a stronger decision-making process will make it easier for users to handle their digital lives. The Quick SMS Header Information service is easy and convenient to use, as its interface is simple and understandable for users of all technical levels.

In addition to this, TRAI's attempt to make available an online tool for the maintenance of a comprehensive database of SMS headers strengthens its position towards ensuring security for its users in the telecommunications sector.

‍