Letter/Comment
FBI Flash Report (TLP WHITE) An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software
16 November 2021
FLASH Number
AC-000155-MW
The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS/CISA.
This FLASH has been released TLP:WHITE
Summary
As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors. This vulnerability is not yet identified with a CVE number but can be located with the FatPipe Security Advisory number FPSA006. The vulnerability affects all FatPipe WARP®, MPVPN, and IPVPN® device software prior to the latest version releases 10.1.2r60p93 and 10.2.2r44p1.
The compromise of affected systems running FatPipe MPVPN software involves exploiting a servlet at the URL path /fpui/uploadConfigServlet and dropping a webshell /fpui/img/1.jsp with root privileges. View the detailed report below.
For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:
John Riggi
Senior Advisor for Cybersecurity and Risk, AHA
jriggi@aha.org
(O) +1 202 626 2272
Key Resources
Related Resources
Letter/Comment