Flash Notice - APT Group Exploits FatPipe Zero-Day Vulnerability for 6 Months

Overview

The FBI issued a notice yesterday warning that APT has been exploiting a zero-day vulnerability in FatPipe’s router clustering and load balancer products. FatPipe is a computer networking hardware firm in Salt Lake City that specializes in WAN optimization solutions for many Fortune 1000 companies. The FBI performed a forensic analysis which indicated that the vulnerability in the device software goes back to at least May 2021.

The flaw is found in the device software for FatPipe’s WARP WAN redundancy product, its IPVPN load balancing and reliability device for VPNs, and in its MPVPN router clustering device. The zero-day vulnerability allows for attackers to gain access to their victims’ virtual private networks (VPN), as well as access to an unrestricted file upload function. This access then allows APT to drop a webshell for exploitation activity with root access, leading to escalated privileges and potential follow-on activity. The attackers are using the compromised VPNs to move laterally into their targets’ networks.

While there is no CVE identification number for the vulnerability yet, FatPipe patched the vulnerability this month and it can be tracked under the FPSA006 tag. FatPipe products are used by many government organizations, as well as organizations within the utilities, education, financial industries. The company stated that this kind of vulnerability could allow a remote attacker to upload a file to any location the filesystem on an affected device and allow them to execute functions as if they were an administrative user.

The FatPipe Zero-Day Vulnerability affects the followings versions of the software:

10.1.2r60p91
10.2.2r42

FatPipe advises to update to the following versions:

10.2.2r44p1
10.1.2r60p93

How Avertium is Protecting Our Clients & Recommendations

FatPipe stated that there aren’t any workarounds to address the vulnerability. However, to mitigate an attack, they recommend disabling UI access on all the WAN interfaces or configuring Access Lists on the interface page to only allow access from trusted sources.
Avertium recommends that you patch your device as soon as possible. We also recommend a Zero Trust Architecture, like AppGate, to stop malware lateral movement.
Avertium has a team of dedicated cyber security analysts who are thoroughly looking for Indicators of Compromise related to the exploitation of the vulnerabilities. If any workarounds are discovered, our analysts will be the first to implement them.

indicators of compromise (iocs):

<tomcat-installation-path>/webapps/fpui/img/1.jsp

/etc/ssh/sshd_config.bak

/root/.ssh/authorized_keys.bak

Search Tomcat access logs, located at - /var/log/tomcat/localhost_access_log*, for:

- POST requests to the URL: /fpui/uploadConfigServlet?fileNumber=undefined

- GET requests to the URL, with commands: /fpui/img/1.jsp

Search SSH access/secure logs under /var/log for successful SSH connections via public key from unknown IP addresses: Accepted public key for root

Search wtmp and lastlog files for sessions from unknown IP addresses
Search Tomcat error logs, located at /var/log/tomcat/catalina*, for the following caught exception:

ERROR com.fatpipe[.]centralmanager.servlet.UploadConfigServlet-Exception occurred while uploading config. Exception is : null

Yara Signatures

rule APT_Webshell_1_jsp {

strings:

$s1 = "Runtime.getRuntime().exec(request[.]getParameter("

$s2 = "request.getParameter(\"pwd\")"

$s3 = "while((a=in.read(b))!=-1){"

condition:

filesize < 25KB and 2 of them }