The bureau’s flash alert said an APT has been exploiting the flaw to compromise FatPipe router clustering and load balancer products to breach targets’ networks.
A threat actor has been exploiting a zero-day vulnerability in FatPipe’s virtual private network (VPN) devices as a way to breach companies and gain access to their internal networks, since at least May, the FBI has warned.
“As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the bureau said in a flash alert on Tuesday.
The bug — patched this week — is found in the device software for FatPipe’s WARP WAN redundancy product, its MPVPN router clustering device, and its IPVPN load-balancing and reliability device for VPNs. The products are all types of servers that are installed at network perimeters and used to give employees remote access to internal apps via the internet, serving as part network gateways, part firewalls.
According to the alert, the flaw allowed advanced persistent threat (APT) actors to exploit a file upload function in the device’s firmware to install a webshell with root access, which led to elevated privileges.
Exploiting the vulnerability, which doesn’t yet have a CVE tracking number, gave the APT actors the ability to spread laterally into victims’ networks. FatPipe is tracking the vulnerability with its own tag, FPSA006, which contains both the patch and a security advisory that it put out on Tuesday.
The vulnerability affects all FatPipe WARP, MPVPN and IPVPN device software prior to the latest version releases: 10.1.2r60p93 and 10.2.2r44p1.
Exploit Gives Remote Attackers Admin Rights
FatPipe explained that the former zero-day, which was found in the web-management interface of the affected firmware, could allow an authenticated, remote attacker with read-only privileges to jack up their privileges to the level of an admin on an affected device.
The flaw is caused by a lack of input and validation checking mechanisms for certain HTTP requests on an affected device, FatPipe said.
“An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device,” according to the company’s advisory. “An exploit could allow the attacker as a read-only user to execute functions as if they were an administrative user.”
The FBI’s alert included a list of indicators of compromise (IOCs) and YARA malware signatures and asked organizations to “take action immediately” if they identify any related network activity.
The FBI is urging system admins to upgrade their devices immediately and to follow other FatPipe security recommendations, including disabling UI and SSH access from the WAN interface (externally facing) when not actively using it.
Join the Crowd
The news means that FatPipe has joined a club nobody wants to be part of: The league of VPN and networking equipment makers whose systems have been exploited by cyberattackers.
It’s gotten to the point that government has felt the need to step in. In September, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued guidance on selecting and hardening VPNs, recommending how to choose and harden VPNs to prevent nation-state APTs from weaponizing flaws and CVEs to break into protected networks.
After all, unsecured VPNs can be a hot mess: Just ask Colonial Pipeline (which got pwned by the REvil ransomware crooks with an old VPN password) or the 87,000 (at least) Fortinet customers whose credentials for unpatched SSL-VPNs were posted online in September.
As the government advisory explained, exploiting CVEs associated with VPNs can enable a malicious actor “to steal credentials, remotely execute code, weaken encrypted traffic’s cryptography, hijack encrypted traffic sessions and read sensitive data from the device.”
If successful, threat actors can get further malicious access that can result in a large-scale compromise of a corporate network.
A recent example of nation-state actors preying on vulnerable VPNs came in May, when Pulse Secure rushed a fix for a critical zero-day security vulnerability in its Connect Secure VPN devices. That zero day was exploited by two APTs, likely linked to China, who used it to launch cyberattacks against U.S. defense, finance and government targets, as well as victims in Europe.