ClickFix Campaign Unleashes New Infostealer, DEEPDATA Malware Exploits Fortinet FortiClient Zero-Day, 69 Firms Leaked with Manufacturing Hit Hardest, and CISA Adds Progress and Palo Alto Vulnerabilities
In our latest Cyber Intelligence Brief, Deepwatch ATI looks at new threats and techniques to deliver actionable intelligence for SecOps organizations.
Each week we look at in-house and industry threat intelligence and provide ATI analysis and perspective to shine a light on a spectrum of cyber threats.
ClickFix Phishing Campaign Delivers New Infostealer
The Rundown
Gen Digital Inc., formerly known as Symantec and the parent company of popular consumer security brands like Norton, Avast, Avira, and AVG, has released a report on the discovery of a previously unknown information-stealing malware named “Glove Stealer.” The company revealed that attackers are distributing this malware through phishing emails that leverage the “ClickFix” technique.
According to Gen Digital, Glove Stealer is designed to harvest sensitive information from infected systems, including login credentials, financial data, and personal files. The phishing emails employing the ClickFix technique manipulate click events to bypass security filters and deceive users into executing the malicious payload.
The report did not disclose the campaign’s scale or the threat actors’ identities. However, Deepwatch’s threat intel team warns that the methods used indicate a potentially significant threat to both individuals and organizations.
Source Material: Gen Digital
Zero-Day Exploitation in Fortinet FortiClient: DEEPDATA Malware Unveiled
The Rundown
Volexity, a developer of memory forensics software, has released a report on DEEPDATA, a modular post-initial access malware family. The report highlights a plugin named FortiClient for DEEPDATA that exploits a zero-day vulnerability in Fortinet’s FortiClient Windows VPN. This vulnerability enables attackers to extract credentials directly from the client’s process memory if successfully exploited. At the time of publishing the report, 15 November, the vulnerability remains unresolved, and Volexity is unaware of an assigned CVE number.
Volexity reports that threat actors leverage DEEPDATA to gather and exfiltrate sensitive information from compromised systems. Alongside the FortiClient plugin, DEEPDATA includes 11 additional plugins designed to steal credentials, extract data from messaging applications, collect contacts and emails from Outlook, enumerate system details (such as installed software and WiFi networks), and even record audio.
DEEPDATA’s exploitation of FortiClient showcases the advanced capabilities of state-affiliated threat actors in compromising critical software to steal sensitive credentials. This attack highlights the dangers of zero-day vulnerabilities in widely used systems, exposing enterprises that depend on Fortinet’s VPN for secure communication to significant risks.
BrazenBamboo’s malware ecosystem—DEEPDATA, DEEPPOST, and LIGHTSPY—demonstrates sophisticated surveillance and data exfiltration capabilities, underscoring the critical need for more robust cybersecurity defenses. This evolution also highlights the growing involvement of private enterprises in supporting state-sponsored cyber operations, raising significant concerns about their impact on global cybersecurity and individual privacy.
Source Material: Volexity & BlackBerry
Leak Sites: 69 Firms Listed, Manufacturing Tops the List
The Rundown
In just one week, 69 organizations spanning 17 industries were added to ransomware and data leak sites—a decrease of 73 from the previous week.
Note: Data collection on some ransomware and data extortion leak sites may be limited due to various reasons.
This week, critical sectors such as Manufacturing, Health Care and Social Assistance, and Construction were most frequently targeted, underscoring the pressing need for comprehensive cybersecurity measures to safeguard sensitive data and ensure operational resilience globally.
CISA Adds Progress and Palo Alto Vulnerabilities to Exploited List
The Rundown
Between November 14 and 20, five vulnerabilities affecting Progress and Palo Alto products were added to CISA’s Known Exploited Vulnerabilities catalog. If not addressed swiftly, these vulnerabilities could expose organizations to potential cyberattacks.
These newly cataloged vulnerabilities highlight looming risks for organizations using widespread technologies. Failure to patch these flaws could lead to full system control, bypass authentication, or expose sensitive data. If state-sponsored and cybercriminal attackers focus on these weaknesses, timely action will be crucial to prevent exploitation.
Recommendations
ATI recommends mitigative action occur according to the mitigation “Due Date” recommended by CISA.
Source Material: CISA
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share