Cybercriminals have exploited multiple vulnerabilities in CyberPanel to install ransomware and force tens of thousands of copies offline. Victims may be in luck, however, as a decryption key appears to be available.
A cybersecurity researcher alias DreyAnd has announced that they have found three major vulnerabilities in CyberPanel 2.3.6 and possibly 2.3.7, which allowed remote code execution and execution of arbitrary system commands.
They even published a proof-of-concept (PoC) to demonstrate how to take over a vulnerable server.
Decrypting the ransomware
CyberPanel is an open source web hosting control panel that simplifies the management of web servers and websites. It is built on LiteSpeed and allows users to manage websites, databases, domains and emails. CyberPanel is especially popular for its integration with LiteSpeed’s OpenLiteSpeed server and LSCache, which improve website speed and performance.
This prompted CyberPanel’s developers to release a fix and post it on GitHub. Anyone who downloads CyberPanel from GitHub, or upgrades an existing version, will get the fix. However, the tool was not updated and the vulnerabilities were not assigned a CVE.
As reported by BleepingComputerthere were more than 21,000 internet-connected and vulnerable endpoints, about half of which were in the US. Shortly after the PoC was published, the number of visible copies dropped to only hundreds. Some researchers confirmed that threat actors deployed the PSAUX ransomware variant, forcing the devices offline. Apparently over a hundred thousand domains and databases were managed via CyberPanel.
The PSAUX ransomware is named after a commonly used Linux process and targets Linux-based systems. It uses advanced techniques to avoid detection and ensure persistence, making it particularly dangerous for companies and organizations running critical applications on Linux servers.
However, the publication later added that a security researcher, aka LeakIX, has released a decryptor that can undo the damage done by the attack. But if the attackers use a different encryption key, attempting to decrypt it could damage the data. Therefore, it is advised to make a backup before attempting the decryption.