The FBI has identified an APT group that is exploiting a previously unknown vulnerability in the FatPipe MPVPN router clustering device to gain initial access to networks, install webshells, and then maintain long-term access.
In a new alert published Thursday, the FBI said the unnamed group is using the vulnerability to compromise target devices, download a new SSH server and set of keys, and then overwrite the existing legitimate SSH server and keys. The attackers then restart the SSH service and use it to route malicious traffic through the compromised device to target other networks.
“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors,” the FBI alert says.
The vulnerability has not yet been assigned a CVE number, but FatPipe has released updated software to address it. The bug affects FatPipe WARP, MPVPN, and IPVPN devices running versions of the software earlier than 10.1.2r60p93 and 10.2.2r44p1.
“The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device,” the FatPipe advisory says.
The FatPipe products are used in enterprise and managed service provider environments to provide VPN acceleration and optimization.
After the attackers compromise a device and set up the webshell and malicious SSH service, they perform several actions to hide the exploitation activity, including restoring the legitimate SSH service, overwriting some log entries, and removing the webshell.
“FBI strongly urges system administrators to upgrade their devices immediately and to follow other FatPipe security recommendations such as disabling UI and SSH access from the WAN interface (externally facing) when not actively using it,” the alert says.