Thousands of CyberPanel instances taken offline in massive ransomware attack

ransomware avast
(Image credit: Avast)

Cybercriminals have taken advantage of multiple vulnerabilities in CyberPanel to install ransomware and force tens of thousands of instances offline. Victims might be in luck though, since a decryption key appears to be available.

A cybersecurity researcher alias DreyAnd has announced finding three major vulnerabilities in CyberPanel 2.3.6, and possibly 2.3.7, which allowed for remote code execution, and arbitrary system commands execution.

They even published a proof-of-concept (PoC) to demonstrate how to take over a vulnerable server.

Decrypting the ransomware

CyberPanel is an open source web hosting control panel that simplifies the management of web servers and websites. It was built upon LiteSpeed, and allows users to manage websites, databases, domains, and emails. CyberPanel is especially popular for its integration with LiteSpeed’s OpenLiteSpeed server and LSCache, which enhance website speed and performance.

This prompted CyberPanel’s developers to issue a fix and post it on GitHub. Whoever downloads CyberPanel from GitHub, or upgrades an existing version, will get the fix. However, the tool did not get a new version, and the vulnerabilities were not assigned a CVE.

As reported by BleepingComputer, there were more than 21,000 internet-connected and vulnerable endpoints out there, roughly half of which were located in the US. Soon after the PoC was published, the number of visible instances dropped to mere hundreds. Some researchers confirmed that threat actors deployed the PSAUX ransomware variant, forcing the devices offline. Apparently, more than a hundred thousand domains and databases were managed through CyberPanel.

The PSAUX ransomware was named after a common Linux process, and targets Linux-based systems. It leverages advanced techniques to avoid detection and ensure persistence, making it particularly dangerous for businesses and organizations running critical applications on Linux servers.

However, the publication later added that a security researcher alias LeakIX released a decryptor that can reverse the damage done by the attack. Still, if the attackers used a different encryption key, trying to decrypt it could corrupt the data, so creating a backup before trying the decryption is advised.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.