A flash alert has been issued by the FBI regarding an APT group abusing a zero-day flaw in FatPipe devices and software products. FatPipe, the networking hardware firm, has Fortune 1000 companies as its customers. 

The flash alert

According to FBI forensic analysis, cybercriminals are exploiting a zero-day flaw that impacts FatPipe's MPVPN (a router clustering device), WARP (a WAN redundancy product), and IPVPN  (load-balancing and reliability device for VPNs).
  • The flaw dates back to May and was exploited in the wild to breach target networks. 
  • The zero-day flaw abused in these attacks impacted all FatPipe MPVPN, IPVPN, and WARP device software versions released before the latest ones, 10.2.2r44p1 and 10.1.2r60p93.
  • The flaw allowed the APT group to obtain access to an unrestricted file upload function to drop a webshell with root access for exploitation. It led to privilege escalation and further activities. 
  • After compromising exposed FatPipe devices, the attackers used them for lateral movement inside the networks.

The zero-day flaw

The flaw exists in the web management interface of FatPipe software.
  • It occurs due to a lack of input and validation checking for specific HTTP requests on a vulnerable device. 
  • This vulnerability could be exploited by sending a modified HTTP request to the device.
  • Successful exploitation could allow a remote attacker to upload a file to the desired location on the filesystem on a vulnerable device.
  • The flaw doesn't have a CVE ID at present, however, it’s been fixed in a security advisory, FPSA006.

Preventive actions

FatPipe's advisories recommend their customers disable UI access on all the WAN interfaces. They should configure Access Lists on the interface page for trusted sources. Moreover, the FBI’s alert includes a list of indicators of compromise and YARA malware signatures. It further urges organizations to take quick action to identify suspicious network activities.

Cyware Publisher