Massive ransomware attack targets 22K CyberPanel instances

A massive PSAUX ransomware attack has targeted over 22,000 exposed CyberPanel instances, exploiting a critical remote code execution (RCE) vulnerability.

CyberPanel is an open-source web hosting control panel that runs on the LiteSpeed web server, designed to simplify the management of websites, domains, and servers, offering features like one-click installations, automated backups, and integrated security measures.

Initially, 21,761 vulnerable instances were exposed online, with nearly half (10,170) located in the United States. This number later dropped to approximately 400, indicating many servers were taken offline or became inaccessible. Threat actors installed PSAUX ransomware on compromised CyberPanel servers. The ransomware encrypts files using a unique AES key and IV, which are further encrypted with an RSA key. The AES key and IV are stored as /var/key.enc and /var/iv.enc.

The attack leveraged multiple security issues in CyberPanel, specifically affecting versions 2.3.6 and likely 2.3.7.

CyberPanel version 2.3.6 was found to have three distinct security vulnerabilities:

• Defective Authentication: The authentication checks were applied separately to each page, rather than centrally, leaving specific routes (e.g., ‘upgrademysqlstatus’) unprotected.
• Command Injection: Unprotected pages failed to sanitize user inputs, enabling attackers to inject and execute arbitrary commands.
• Security Filter Bypass: The middleware only filtered POST requests, allowing attackers to bypass it using other HTTP methods, such as OPTIONS or PUT.

Vulnerability details

• CVE-2024-51567 (CVSS score 10) - This vulnerability exists in the upgrademysqlstatus function within databases/views.py, where shell metacharacters in the statusfile parameter enable attackers to bypass middleware and execute commands remotely.

• CVE-2024-51568 (CVSS score 10) - Located in the ProcessUtilities.outputExecutioner() function, this vulnerability uses command injection in the completePath parameter to facilitate file uploads and unauthenticated RCE.

• CVE-2024-51378 (CVSS score 10) - This flaw affects the getresetstatus function in dns/views.py and ftp/views.py, allowing attackers to bypass middleware and execute commands on the server.

Security researcher DreyAnd demonstrated the exploit, achieving root-level remote command execution on CyberPanel version 2.3.6. This flaw was disclosed to CyberPanel developers on October 23, 2024, with a partial fix for the authentication issue released on GitHub later that evening. However, a new version of CyberPanel or an official CVE assignment has not yet been issued.

Users are urged to upgrade to the latest patched version available on GitHub to prevent further exploitation.

A decryptor has been released by LeakX that may allow decryption of files encrypted in this ransomware campaign. Users are advised to back up their data and test the decryptor before use, as incorrect keys can corrupt data.