Hackers have been exploiting a zero-day vulnerability in FatPipe VPN software since May, the FBI has announced.
A patch has been released, so anyone using the the FatPipe WARP, MPVPN, or IPVPN software should update immediately in order to protect themselves moving forward.
What to Know
The attackers are a group sophisticated enough to be labelled an “advanced persistent threat,” or APT, and have been using the flaw to gain access to companies' internal networks for months, according to the FBI's forensic analysis.
The FBI statement itself explains that the flaw allowed hackers to exploit a file upload function:
“The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors.”
The statement includes the technical details that an IT team can use to follow up within their internal networks, and advises that any organizations that find activity indicating they've been compromised should “take action immediately.”
However, that's easier said than done, as the FBI found that, in most cases, the hackers used cleanup scripts to hide traces of their activity.
Can You Trust Your VPN?
Yes, the flaw in question has been patched by now, but that's small comfort to the companies who are just now learning they were fully exposed and potentially hacked over the last six months. In situations like these, the security of any virtual private network service comes under scrutiny.
FatPipe wasn't on our list of the most trusted and secure VPNs, where we ranked NordVPN, IPVanish, and PureVPN among the cream of the business-data-securing crop.
But perhaps the best test of the discovery of a software vulnerability is in how well the safeguards and redundancies that were already in place have worked to mitigate any harm the flaw could cause. Take the example of NordVPN's 2018 data breach: Just one of the company's 3,000+ servers was affected and NordVPN quickly addressed it. No user data was compromised in the incident, and NordVPN's zero logging policy meant no data was available to be compromised.
If you're interested in a new VPN or simply trying out one with enough safeguards to ensure your company's internal network won't be crawling with hackers, check out our roundup of the most robust business VPNs here. Or, simply check out this table for a faster comparison of all the facts to know about each:
No. of Devices
No. of Servers
Zero Data Logging
Lowest price for single month subscription to cheapest paid tier. Other plans are available.
Click to find the latest offers, deals and discounts from the VPN provider
3,000+ (94+ countries)
1,300+ (55+ countries)
$8.45 per month per user
$7 per month per user
$69 per month