[TheRecord] FBI: An APT abused a zero-day in FatPipe VPNs for six months

The US Federal Bureau of Investigation said it discovered an advanced persistent threat (APT) abusing a zero-day vulnerability in FatPipe networking devices as a way to breach companies and gain access to their internal networks.

“As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the agency said in a flash security alert sent out on Tuesday.

The FBI said the vulnerability allowed the hacking group to exploit a file upload function in the device’s firmware and install a webshell with root access.

The FBI said it spotted the hackers abusing the zero-day only against FatPipe MPVPN devices, but the vulnerability also impacted other products, such as IPVPN and WARP.

All are different types of virtual private network (VPN) servers that companies install at the perimeter of their corporate networks and use to allow employees remote access to internal applications via the internet, acting as mash-up between network gateways and firewalls.

Patch released yesterday, November 16

The FBI said the zero-day it discovered during its investigation does not currently have its own CVE identifier, but FatPipe has released a patch and additional information via an internal security advisory tracked as FPSA006.

To help IT and security teams check if their FatPipe systems have been hacked and detect the intruder’s webshells, the FBI has also published several indicators of compromise (IOCs) and YARA signatures as part of its alert [PDF].

FatPipe now joins a long list of networking equipment makers that have had their systems abused for cyber intrusions. The list includes the likes of Cisco, Microsoft, Oracle, F5 Networks, Palo Alto Networks, Fortinet, and Citrix, just to name the bigger ones.

Attacks targeting networking devices such as firewalls, VPN servers, network gateways, and load balancers had ramped up during the ongoing COVID-19 pandemic when threat actors realized that these devices are installed almost all large corporate and government networks — as a way to let remote workers connect to internal applications.

The post FBI: An APT abused a zero-day in FatPipe VPNs for six months appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2021-01-14

Brand Phishing Report Q4 2020 blog.checkpoint.com/2021/01/14/brand-phishing-report-q4-2020/ According to Check Point Research´s (CPR) analysis, Microsoft still lead the top ten-brand phishing in the last quarter of 2020, with many websites trying to impersonate Microsoft login screens and steal user credentials. Shipping and retail, mainly led by email phishing on DHL and Amazon, are up to the […]

Read More

[BleepingComputer] Software maker removes “backdoor” giving root access to radio devices

The author of a popular software-defined radio (SDR) project has removed a “backdoor” from radio devices that granted root-level access. The backdoor had been, according to the author, present in all versions of KiwiSDR devices for the purposes of remote administration and debugging. […] Source: Read More (BleepingComputer)

Read More

[SANS ISC] ISC Stormcast For Wednesday, November 3rd, 2021 https://isc.sans.edu/podcastdetail.html?id=7740, (Wed, Nov 3rd)

All posts, Sans-ISC

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Source: Read More (SANS Internet Storm Center, InfoCON: green)

Read More