An APT group has been found exploiting a zero-day vulnerability in FatPipe networking devices since at least May 2021 to gain access to organizations’ internal network, the U.S. Federal Bureau of Investigation revealed.
“As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the agency said in a flash alert.
The vulnerability, which has not received an official CVE identifier yet, allowed the threat actor to gain access to an unrestricted file upload function in the device’s firmware and drop a webshell for exploitation activity with root access.
“During a varying length of time while the webshell was available, the actor(s) used the new SSH access to route malicious traffic through the device and target additional U.S. infrastructure,” the FBI said.
“In most cases, after the exploitation activity was complete, the following activity was observed as part of a "clean-up" process to hide the malicious actor’s activity and to protect their exploit until a later date.”
The zero-day bug impacts all FatPipe WARP, MPVPN, and IPVPN device software versions prior to 10.1.2r60p93 and 10.2.2r44p1. On November 16, FatPipe released a patch to address the issue.
The FBI has also shared Indicators of Compromise (IoCs) related to the attacks, as well as YARA signatures.
“Organizations that identify any activity related to these indicators of compromise within their networks should take action immediately,” the agency said.