FBI issued an alert revealing exploitation of zero-day vulnerability in the FatPipe MPVPN device software. FatPipe MPVPN zero-day vulnerability exploitation by APT actors allows access to an unrestricted file upload function to drop a webshell for malicious activity with root access, leading to elevated privileges and potential follow-on activity. According to the FBI statement, the vulnerability is not yet identified with a CVE number but can be located with the FatPipe Security Advisory number FPSA006. All versions of FatPipe WARP, MPVPN, and IPVPN device software prior to the updated releases, are affected by the vulnerability.
In an alert from the Internet Crime Complaint Center (IC3), the #FBI warns of exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021. https://t.co/xO7THvjxjf pic.twitter.com/COpLqF3ka8
— FBI Seattle (@FBISeattle) November 18, 2021
FBI has requested users to report the existence of any of the following immediately:
- Identification of indicators of compromise.
- Presence of webshell code on compromised FatPipe WARP, MPVPN, and IPVPN appliances.
- Unauthorized access to or use of accounts.
- Evidence of lateral movement by malicious actors with access to compromised systems.
- Malicious IPs identified through the conducted log file searches and session activity.
- Suspicious or malicious .bash_history contents.
- Other indicators of unauthorized access or compromise.
Users must share any other information related to the vulnerability with the authorities.
Immediate action is suggested regarding the discovered FatPipe MPVPN zero-day compromise within the networks.
FatPipe released a patch and security advisory, FPSA006, on November 16, 2021, that fixes the vulnerability.
All FatPipe WARP, MPVPN, and IPVPN device software previous to releases 10.1.2r60p93 and 10.2.2r44p1 are at risk. The security advisory and additional details are available at the following URL: https://fatpipeinc.com/support/cve-list.php.
FBI strongly urges system administrators to upgrade their devices immediately and follow other FatPipe security recommendations, such as disabling UI and SSH access from the WAN interface (externally facing) when not actively using it.
Zero-day Exploits Rising Popularity
A recently published CISO Mag article discussed how several cybercriminal groups are found buying zero-day vulnerabilities such as the zero day vulnerability in FatPipe MPVPN and leasing exploit-as-a-service models on dark web forums.
Per a report from Digital Shadows, several cybercriminal groups and state-sponsored actors are increasingly willing to purchase information on vulnerabilities and exploits from various cybercrime affiliates on the dark web. The market for zero-day vulnerabilities is reportedly high, as many ransomware operators are interested in buying them. Digital Shadows claim that the price range of zero-day flaws could go up to $10 million.