20th November 2021, Kathmandu
ACCORDING TO THE FBI’S FLASH NOTICE, an APT has been using the issue to compromise FatPipe router clustering and load balancer products to breach targets’ networks.
According to the FBI, since at least May, a threat actor has been using a zero-day vulnerability in FatPipe’s virtual private network (VPN) equipment to hack businesses and get access to their internal networks.
“According to FBI forensic investigation as of November 2021, exploitation of a 0-day vulnerability in the FatPipe MPVPN device software dates back to at least May 2021,” the bureau claimed in a flash alert (PDF) on Tuesday.
FatPipe’s WARP WAN redundancy product, its MPVPN router clustering device, and its IPVPN load-balancing and reliability device for VPNs all had the fault, which was patched this week. The servers, which function as part network gateways and part firewalls, are located at network perimeters and utilized to provide employees with remote access to internal programs over the internet.
The issue allowed APT actors to exploit a file upload function in the device’s firmware to install a web shell with root access, resulting in elevated privileges, according to the notice.
The APT actors could spread laterally into victims’ networks by exploiting the vulnerability, which has yet to be assigned a CVE number. FatPipe is keeping track of the issue with its tag, FPSA006, which includes the fix and a security advisory published on Tuesday.
Before the newest version releases: 10.1.2r60p93 and 10.2.2r44p1, the vulnerability affects all FatPipe WARP, MPVPN, and IPVPN device software.
Remote attackers get admin rights thanks to an exploit. The former zero-day, which was discovered in the impacted firmware’s web management interface, might allow an authenticated, remote attacker with read-only rights to elevate their privileges to that of an administrator on an affected device, according to FatPipe.
According to FatPipe, the weakness is a lack of input and validity checking capabilities on a vulnerable device for certain HTTP queries.
According to the company’s notice, an attacker might exploit the flaw by submitting a modified HTTP request to the affected device. “An exploit could allow a read-only user to perform administrative duties.”
The FBI’s alert includes a list of indicators of compromise (IOCs) and YARA malware signatures, as well as a request that enterprises “take quick action” if they see any suspicious network behavior.
The FBI advises system administrators to upgrade their equipment as soon as possible and follow other FatPipe security guidelines, such as limiting UI and SSH access from the WAN interface (externally facing) when not in use.
FatPipe has now joined a group that no one wants to be a part of the league of VPN and networking equipment manufacturers whose systems have been hacked.
It has reached a point where the government feels compelled to intervene. The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) of the United States jointly issued guidance on selecting and hardening VPNs in September, advising how to choose and harden VPNs to prevent nation-state APTs from weaponizing flaws and CVEs to break into protected networks.
After all, ask Colonial Pipeline (which was hacked by the REvil ransomware using an old VPN password) or the 87,000 (at least) Fortinet customers whose passwords for unpatched SSL-VPNs were leaked online in September.
Using CVEs connected with VPNs, a hostile actor can “steal credentials, remotely execute malware, weaken encrypted traffic’s encryption, hijack encrypted traffic sessions, and access sensitive data from the device,” according to the government advisory.
If successful, threat actors can get further harmful access to a corporate network, perhaps leading to a large-scale hack.
In May, Pulse Secure hurried a remedy for a serious zero-day security vulnerability in its Connect Secure VPN equipment, demonstrating how nation-state attackers feast on insecure VPNs. Two APTs, most likely linked to China, used the zero-day to undertake cyberattacks targeting US defense, banking, and government targets, as well as European victims.
Multi-cloud environments are notoriously difficult to secure. Query and CloudQuery are excellent options.