Thousands of CyberPanel instances taken offline in massive ransomware attack

As soon as flaws were spotted, hackers moved in

· TechRadar

News By Sead Fadilpašić published 30 October 2024

(Image credit: Avast)

Cybercriminals have taken advantage of multiple vulnerabilities in CyberPanel to install ransomware and force tens of thousands of instances offline. Victims might be in luck though, since a decryption key appears to be available.

A cybersecurity researcher alias DreyAnd has announced finding three major vulnerabilities in CyberPanel 2.3.6, and possibly 2.3.7, which allowed for remote code execution, and arbitrary system commands execution.

They even published a proof-of-concept (PoC) to demonstrate how to take over a vulnerable server.

Decrypting the ransomware

CyberPanel is an open source web hosting control panel that simplifies the management of web servers and websites. It was built upon LiteSpeed, and allows users to manage websites, databases, domains, and emails. CyberPanel is especially popular for its integration with LiteSpeed’s OpenLiteSpeed server and LSCache, which enhance website speed and performance.

This prompted CyberPanel’s developers to issue a fix and post it on GitHub. Whoever downloads CyberPanel from GitHub, or upgrades an existing version, will get the fix. However, the tool did not get a new version, and the vulnerabilities were not assigned a CVE.

As reported by BleepingComputer, there were more than 21,000 internet-connected and vulnerable endpoints out there, roughly half of which were located in the US. Soon after the PoC was published, the number of visible instances dropped to mere hundreds. Some researchers confirmed that threat actors deployed the PSAUX ransomware variant, forcing the devices offline. Apparently, more than a hundred thousand domains and databases were managed through CyberPanel.

The PSAUX ransomware was named after a common Linux process, and targets Linux-based systems. It leverages advanced techniques to avoid detection and ensure persistence, making it particularly dangerous for businesses and organizations running critical applications on Linux servers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors