Source: www.csoonline.com – Author:
News
30 Oct 20243 mins
RansomwareSecurityZero-day vulnerability
Almost all 22,000 vulnerable CyberPanel devices identified on LeakIX were encrypted by PSAUX within hours.
A critical authentication bypass vulnerability in the widely used web hosting control panel, CyberPanel, has allowed a massive PSAUX ransomware attack that took down 22,000 CyberPanel servers within hours.
With a CVE tracker (CVE-2024-51567) issued only on Wednesday, the attack constitutes a zero-day exploitation of the critical (10/10 base CVSS rating) vulnerability which, along with another critical command injection vulnerability (CVE-2024-51568), was reported to the company last week.
“Recently, two security experts contacted us about a code-level vulnerability in CyberPanel,” CyberPanel said in an October 29 security announcement. “They later advised us to announce this issue publicly, but we requested to hold off to allow users time to update for security reasons.”
CyberPanel also added that they reviewed the findings and released a security patch “within 30 minutes”, since rolling them out through routine updates.
zero-day allowing server takeover
In the security announcement, CyberPanel said it had already included patches through routine updates immediately after the flaws were brought to their notice. However, knowing the patches were supplied secretly, it is understandable that so many devices remained in an N-day state.
Cybersecurity researcher DreyAnd, credited with the discovery of the vulnerabilities, first went public on October 27, sharing proof of concept (PoC) exploits for the flaws. The demonstration included missing authentication, command injection, and security filter bypass to effect a complete server takeover through root-level remote code execution (RCE).
DreyAnd had remarked that CyberPanel was notified and had yet to roll out fixes and issue a public advisory for the code bugs. The post was later updated on October 30 to include that CVEs were now assigned to the vulnerabilities along with a security announcement from the maintainers.
While new CyberPanel installations through Github and upgrading an existing CyberPanel are now supplied with a fix, a new stable version of the software is yet to be released. The affected versions include CyberPanel 2.3.6 and 2.3.7.
The ransomware takedown
In an X post on Tuesday, security research search engine LeakIX, said nearly 22,000 vulnerable CyberPanel instances were found online with over 10,000 instances from the US alone. Hours later, LeakIX reported almost all the affected servers were taken out in a ransomware attack with the PSAUX encryptor.
A ransomware note left on the hacked servers read, “You have been hacked by PSAUX. All your files have been encrypted. Payment must be made in cryptocurrency.”
The note further added the ransom amounts, offering to sample decryption on request.
In a follow-up post, LeakIX shared with victims a decryptor they prepared. “You have been blessed by PSAUX. All your files can be decrypted,” LeakIX wrote in the decryptor note, adding “Ransomware rushed by PSAUX” to mock PSAUX’s ransom note style.
Affected users are advised to read the instructions on the decryptor note and apply decryption accordingly. Another cybersecurity researcher Gi7w0rm had posted that the 22,000 affected servers are jointly responsible for managing 152,000 domains and databases.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Original Post url: https://www.csoonline.com/article/3595130/psaux-ransomware-takes-down-22000-cyberpanel-servers-in-massive-zero-day-attack.html
Category & Tags: Ransomware, Security, Zero-day vulnerability – Ransomware, Security, Zero-day vulnerability
Views: 0
