18 November 2021

FBI warns of a zero-day in FatPipe VPNs actively exploited by hackers


FBI warns of a zero-day in FatPipe VPNs actively exploited by hackers

An APT group has been found exploiting a zero-day vulnerability in FatPipe networking devices since at least May 2021 to gain access to organizations’ internal network, the U.S. Federal Bureau of Investigation revealed.

“As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the agency said in a flash alert.

The vulnerability, which has not received an official CVE identifier yet, allowed the threat actor to gain access to an unrestricted file upload function in the device’s firmware and drop a webshell for exploitation activity with root access.

“During a varying length of time while the webshell was available, the actor(s) used the new SSH access to route malicious traffic through the device and target additional U.S. infrastructure,” the FBI said.

“In most cases, after the exploitation activity was complete, the following activity was observed as part of a "clean-up" process to hide the malicious actor’s activity and to protect their exploit until a later date.”

The zero-day bug impacts all FatPipe WARP, MPVPN, and IPVPN device software versions prior to 10.1.2r60p93 and 10.2.2r44p1. On November 16, FatPipe released a patch to address the issue.

The FBI has also shared Indicators of Compromise (IoCs) related to the attacks, as well as YARA signatures.

“Organizations that identify any activity related to these indicators of compromise within their networks should take action immediately,” the agency said.


Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021