FatPipe VPN Zero-Day Exploited by APT for 6 Months
The FBI released an alert stating that the advanced persistent threat groups (APTs) have been exploiting a zero-day flaw in FatPipe’s virtual private network as a way to breach companies and gain access to internal networks. The FBI stated that the threat groups have been exploiting the zero-day vulnerability since at least May. The FBI conducted forensic analysis that revealed the exploitation of the vulnerability, which was patched this week. The flaw lies in the device software for FatPipe’s WARP WAN redundancy product, its MPVPN router clustering device, and its IPVPN load-balancing device for VPNs. The products provide a multitude of services and are typically installed at network perimeters and used to give employees remote access to internal apps through the internet.
The products work partially as gateways, and partially as firewalls. The FBI alert stated that the flaw allowed APT actors to exploit a file upload function in the flawed firmware, eventually leading to web shell installation with root access and elevated privileges. The APT could then spread laterally through victims’ networks. The zero-day allowed for authenticated, remote attackers with read-only privileges to ramp up privileges to admin levels. The flaw was caused by a lack of input and validation check mechanisms for certain HTTP requests. Therefore, threat actor groups could exploit the vulnerability by sending modified HTTP requests to vulnerable devices.