March 22, 2023

The US FBI said it discovered an APT abusing a zero-day vulnerability in FatPipe networking devices as a way to breach companies and gain access to their internal networks.

The vulnerability allowed the hacking group to exploit a file upload function in the device’s firmware and install a webshell with root access. The hackers abusing the zero-day only against FatPipe MPVPN devices, but the vulnerability also impacted other products, such as IPVPN and WARP.


All are different types of VPN servers that companies install at the perimeter of their corporate networks and use to allow employees remote access to internal applications via the internet, acting as mash-up between network gateways and firewalls.

FatPipe has released a patch and additional information via an internal security advisory tracked as FPSA006. The company said the zero-day could be exploited to overwrite an affected device’s configuration file, which allows attackers to take full control of unpatched systems.

FatPipe now joins a long list of networking equipment makers that have had their systems abused for cyber intrusions. The list includes the likes of Cisco, Microsoft, Oracle, F5 Networks, Palo Alto Networks, Fortinet, and Citrix, just to name the bigger ones.

Attacks targeting networking devices such as firewalls, VPN servers, network gateways, and load balancers had ramped up during the ongoing COVID-19 pandemic when threat actors realized that these devices are installed almost all large corporate and government networks — as a way to let remote workers connect to internal applications.


Yara Signature

rule APT_Webshell_1_jsp {
$s1 = “Runtime.getRuntime().exec(request.getParameter(“
$s2 = “request.getParameter(\”pwd\”)”
$s3 = “while((!=-1){“
filesize < 25KB and 2 of them}

Leave a Reply

%d bloggers like this: