Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Hackers exploited an RCE flaw to target over 22,000 CyberPanel servers with PSAUX ransomware. Nearly all CyberPanel instances went offline as a result.
Researchers said that in fact there are three vulnerabilities in CyberPanel versions 2.3.6 and 2.3.7 that allowed hackers to gain unauthorized root access, deploy PSAUX ransomware, and encrypt server files.
CyberPanel released a partial patch on GitHub and users are urged to apply it. A full update will soon follow.
When the experts informed us about the issue, we immediately reviewed their findings and released a security patch within 30 minutes. If the experts are reading this, they know how swiftly we acted. They later advised us to announce this issue publicly, but we requested to hold off to allow users time to update for security reasons.
Source – CyberPanel advisory
How are CyberPanel instances vulnerable?
Bleepingcomputer.com reports that security researcher DreyAnd found three different safety issues in CyberPanel 2.3.6 and 2.3.7. DreyAnd’s proof of concept revealed how the three CyberPanel flaws allow remote command execution with root privileges.
Insecure authentication
CyberPanel doesn’t use a central authentication system. Instead, it checks for user authentication on each page separately. This leaves certain pages or routes vulnerable to unauthorized access. It is the case for ‘upgrademysqlstatus,’
Command injection
The data that users enter on unprotected pages is not properly checked and cleaned for malicious code. Thus, attackers can inject and execute arbitrary system commands.
Security filter bypass
The security middleware only filters POST requests. So, the attackers bypassed it using other HTTP methods, like OPTIONS or PUT.
More about the PSAUX Ransomware Attacks
Hackers used the vulnerability suite to install PSAUX ransomware on CyberPanel instances. The ransomware encrypts server files with unique AES keys. The PSAUX ransomware was first signaled in June 2024 and targets misconfigured, unpatched web servers.
LeakIX threat intelligence platform told Bleepingcomputer that
21,761 vulnerable CyberPanel instances were exposed online, and nearly half (10,170) were in the United States.
Source – Bleepingcomputer.com
After the PSAUX ransomware attacks, only 400 of the servers remained online.
Protection measures against PSAUX ransomware
The first thing that CyberPanel users should do now is update to the latest version on GitHub. CyberPanel will soon release a complete patch.
But there’s more to protecting your web servers against PSAUX ransomware. All software has flaws, that’s why it is critical that SysAdmins constantly check for updates and apply patches. PSAUX ransomware is notoriously targeting poorly patched servers.
Using an automated patch management solution to keep all software and all your devices up to date is the best way to stay on top of this task. Automated patch management tools, like Heimdal’s Patch & Asset Management, speed up the patching process and eliminate the risk of human error.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
