FBI: An APT Group Has Been Abusing the FatPipe VPN Zero-Day Since May

FBI: An APT Group Has Been Abusing the FatPipe VPN Zero-Day Since May

The FBI has issued a warning about an advanced persistent threat (APT) targeting FatPipe router clustering and load balancer technologies to infiltrate targets’ networks. FatPipe is a Salt Lake City-based computer networking hardware company specializing in WAN optimization solutions and has a long list of Fortune 1000 clients.

FatPipe products are used by government and military organizations, educational institutions, utilities, municipalities, and financial and medical institutions. According to a flash alert from the Federal Bureau of Investigation, FBI forensic research as of November 2021 revealed the exploitation of a zero-day vulnerability in the FatPipe MPVPN device software dating back to at least May 2021.

The flaw allowed APT actors to obtain access to an unrestricted file upload feature, allowing them to deploy a webshell for exploitation activity with root access, resulting in elevated privileges and the possibility of further action. The attackers leveraged susceptible FatPipe devices to travel laterally into their targets’ networks after hacking into them.

Before the newest versions 10.1.2r60p93 and 10.2.2r44p1, the zero-day problem exploited in these attacks affected all FatPipe WARP, MPVPN, and IPVPN device software. According to the FBI, the weakness does not yet have a CVE ID, but FatPipe fixed it this month and issued a security warning with the FPSA006 tag.

According to the company, a vulnerability in FatPipe software’s web administration interface might allow a remote attacker to upload a file to any point on the filesystem on an affected device. The vulnerability of specific HTTP requests on an affected device is caused by a lack of input and validity checking techniques. An attacker might use this flaw by sending a specially crafted HTTP request to the vulnerable device.

FatPipe’s warnings page advises that customers may mitigate the problem by blocking UI access on all WAN interfaces or defining Access Lists on the interface page to enable access only from trusted sources.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.


Share on facebook
Share on twitter
Share on linkedin