The Federal Bureau of Investigation (FBI) issued a flash alert this week that warned of an Advanced Persistent Threat (APT) that has been compromising FatPipe router clustering and load balancer products to breach victim networks. According to the flash alert, “As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021.” The zero-day allows the APT threat actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access that leads to elevated privileges. After obtaining access to these devices, the threat actor could use them to move laterally throughout the network. The zero-day bug exploited in these attacks impacts all FatPipe WARP, MPVPN, and IPVPN device software prior to versions 10.1.2r60p93 and 10.2.2r44p1. The vulnerability does not yet have a CVE ID assigned, but FatPipe released a patch a month ago.
Since a patch for this vulnerability has been released by FatPipe, any entity using these devices must ensure that they have the most up-to-date version installed. Often, threat actors will prey on victims that fail to update and patch devices quickly. FatPipe included other suggestions for mitigation in a report, including using a strong admin password and disabling both the FatPipe user interface and console access from the WAN when not in use.