The Federal Bureau of Investigation (FBI) warned of an advanced persistent threat (APT) compromising FatPipe router clustering and load balancer products to breach targets’ networks.
FatPipe is a Salt Lake City computer networking hardware firm headquartered specializing in WAN optimization solutions with many Fortune 1000 companies on its customer list.
Organizations from all major industry sectors use FatPipe products, including government and military entities, municipalities, utilities, educational facilities, and financial and medical institutions.
“As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the FBI said in a flash alert issued this week.
“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity.”
Compromised VPNs used for lateral movement
After hacking into vulnerable FatPipe devices, the attackers used them to move laterally into their targets’ networks.
The zero-day bug exploited in these attacks impacts all FatPipe WARP, MPVPN, and IPVPN device software before the latest releases 10.1.2r60p93 and 10.2.2r44p1.
The vulnerability doesn’t yet have a CVE ID but, according to the FBI, FatPipe patched it this month and released a security advisory tracked under the FPSA006 tag.
“A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device,” the company says.
“The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device.”
FatPipe’s advisories page also includes advice on how customers can mitigate the bug by disabling UI access on all the WAN interfaces or configuring Access Lists on the interface page to only allow access from trusted sources.
Yesterday, the FBI also warned in a joint advisory with US, UK, and Australian cybersecurity agencies that an Iranian-backed hacking group is actively exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities.