APT Actor Actively Exploiting Zero-day Vulnerability in FatPipe MPVPN Devices

The Federal Bureau of Investigation (FBI) has warned users of FatPipe MPVPN devices that an Advanced Persistent Threat (APT) actor is exploiting a zero-day vulnerability in the device software and has been since at least May 2021.

The vulnerability is present in the web management interface of FatPipe software and is due to a lack of input and validation checks for certain HTTP requests. The vulnerability can be exploited by sending specially crafted HTTP requests to vulnerable FatPipe devices.

Successful exploitation of the vulnerability allows APT actors to access a restricted file upload function. In the attacks, the APT actor has exploited the vulnerability to deliver a webshell for exploitation activity with root access, which allows elevation of privileges and follow-on activity. After gaining access to FatPipe devices, the APT actor moves laterally and comprises victims’ networks.

The vulnerability affects all FatPipe WARP®, MPVPN, and IPVPN device software versions prior to 10.1.2r60p93 and 10.2.2r44p1.

The vulnerability has not yet been assigned a CVE, but FatPipe released a patch to fix the vulnerability in October. FatPipe says there are no workarounds that can be used in place of the software update to prevent exploitation of the vulnerability; however, if it is not possible to update the software immediately, users should disable UI access on all the WAN interfaces or configure Access Lists on the interface page to allow access only from trusted sources.

As the vulnerability is being actively exploited, the FBI recommends updating the software to the latest version immediately. All users of FatPipe MPVPN devices should check for indicators of compromise (IoCs) to determine if the vulnerability has already been exploited. If IoCs are identified or any other information related to the threat is found, it should be reported to the FBI.

IoCs and Yara signatures are available in the FBI TLP: White alert.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news