Thousands of CyberPanel instances taken offline in massive ransomware attack

Cybercriminals have taken advantage of the multiple vulnerabilities in CyberPanel to install themselves ransomware and force tens of thousands of instances offline. Victims might be in luck though, as a decryption key appears to be available.

A cybersecurity researcher alias DreyAnd announced that he found three major vulnerabilities in CyberPanel 2.3.6 and possibly 2.3.7 that allowed remote code execution and arbitrary execution of system commands.

They even published a proof of concept (PoC) to demonstrate how to take over a vulnerable server.

Decrypting ransomware

CyberPanel is open source web hosting control panel that simplifies the management of web servers and websites. It was built on LiteSpeed and allows users to manage websites, databases, domains and emails. CyberPanel is particularly popular for its integration with LiteSpeed’s OpenLiteSpeed server and LSCache, which improve site speed and performance.

This prompted the CyberPanel developers to issue a fix and post it on GitHub. Anyone who downloads CyberPanel from GitHub or upgrades to an existing version will receive the fix. However, the tool did not receive a new version and the vulnerabilities were not assigned a CVE.

As reported BleepingComputerthere were more than 21,000 vulnerable endpoints connected to the Internet, about half of which were in the US. Shortly after the PoC was published, the number of visible instances dropped to just hundreds. Some researchers have confirmed that threat actors deployed the PSAUX ransomware variant, forcing devices to go offline. Apparently, over a hundred thousand domains and databases have been managed through CyberPanel.

The PSAUX ransomware was named after a common Linux process and targets Linux-based systems. It uses advanced techniques to avoid detection and ensure persistence, making it particularly dangerous for companies and organizations running critical applications on Linux servers.

However, the publication later added that a security researcher alias LeakIX has released a decryptor that can reverse the damage caused by the attack. However, if the attackers used a different encryption key, trying to decrypt it could corrupt the data, so it is recommended to create a backup before attempting decryption.

More from TechRadar Pro