Security News

The U.S. Federal Bureau of Investigation has disclosed that an unidentified threat actor has been exploiting a previously unknown weakness in the FatPipe MPVPN networking devices at least since May 2021 to obtain an initial foothold and maintain persistent access into vulnerable networks, making it the latest company to join the likes of Cisco, Fortinet, Citrix, Pulse Secure that have had their systems exploited in the wild. "The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity," the agency said in an alert published this week.

A threat actor has been exploiting a zero-day vulnerability in FatPipe's virtual private network devices as a way to breach companies and gain access to their internal networks, since at least May, the FBI has warned. "As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021," the bureau said in a flash alert on Tuesday.

The Federal Bureau of Investigation warned of an advanced persistent threat compromising FatPipe router clustering and load balancer products to breach targets' networks. "As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021," the FBI said in a flash alert issued this week.

A new zero-day vulnerability has been disclosed in Palo Alto Networks GlobalProtect VPN that could be abused by an unauthenticated network-based attacker to execute arbitrary code on affected devices with root user privileges. Successful exploitation of the flaw necessitates that the attacker strings it with a technique known as HTTP smuggling to achieve remote code execution on the VPN installations, not to mention have network access to the device on the GlobalProtect service default port 443.

If you do a lot of work out of the home on public, or even public but secured, Wi-Fi networks you need a VPN for your phone or other mobile device that will anonymize your traffic and prevent your personally identifiable information from being handed over to an attacker on a silver platter. One thing to note here: I'm not including any free VPNs in this list of five, each of which is a premium product.

Free virtual private network service Quickfox, which provides access to Chinese websites from outside the country, exposed the personally identifiable information of more than a million users in just the latest high-profile VPN security failure. Researchers at WizCase discovered Quickfox misconfigured the VPN service's Elasticsearch, Logstash and Kibana stack security.

In a short tweet today, exploit broker Zerodium said that it is looking to acquire zero-day exploits for vulnerabilities in three popular virtual private network service providers on the market. Zerodium's current interest is in vulnerabilities affecting Windows clients for NordVPN, ExpressVPN, and SurfShark VPN services.

The central government of China in Beijing has announced a decision to allow foreign entities to invest in the ownership of VPN services in the country. This allows China to retain state control over local and approved products while still offering a significant incentive for investment.

The NSA and CISA have released a document on how to harden your VPN.

Unsecured VPNs can be a hot mess: Just ask Colonial Pipeline or the 87,000 Fortinet customers whose credentials for unpatched SSL-VPNs were posted online earlier this month. As the advisory from the NSA and CISA explained, exploiting CVEs associated with VPNs can enable a malicious actor "To steal credentials, remotely execute code, weaken encrypted traffic's cryptography, hijack encrypted traffic sessions, and read sensitive data from the device."