A large-scale PSAUX ransomware attack is targeting 22,000 CyberPanel instances
30 Oct 2024
1 MIN read
Over 22,000 CyberPanel instances exposed to a critical remote code execution (RCE) vulnerability have been mass-targeted by the PSAUX ransomware attack, causing most of them to go offline. Security researcher DreyAnd revealed that CyberPanel versions 2.3.6 and possibly 2.3.7 suffer from three significant security issues: defective authentication that leaves certain pages unprotected, command injection vulnerabilities due to improper input sanitization, and a security filter bypass that allows attackers to exploit unfiltered HTTP methods.
After developing a proof-of-concept exploit demonstrating remote root access, DreyAnd disclosed the flaws to CyberPanel developers on October 23, 2024. Although a fix for the authentication issue was submitted on GitHub that evening, no new software version or CVE has been released yet. Attempts to reach CyberPanel for a response have been unsuccessful.
Meanwhile, the threat intelligence platform LeakIX reported that nearly 21,761 vulnerable CyberPanel instances were exposed online, with about half located in the United States. Overnight, the number of accessible instances dropped to around 400, as threat actors exploited the vulnerability to deploy the PSAUX ransomware. This ransomware, active since June 2024, encrypts files using AES encryption and leaves ransom notes in affected directories.
Researchers obtained scripts used in the attack, including an exploit script and an encryption script. A potential weakness has been identified that may allow victims to decrypt their files without paying the ransom, and investigators are exploring this possibility. Due to the active exploitation of this vulnerability, users are strongly advised to upgrade to the latest version of CyberPanel available on GitHub as soon as possible.
Update as of October 29, 2024: LeakIX has released a decryptor that can potentially restore files encrypted during this campaign. However, there is a risk of data corruption if the wrong encryption keys were used by the attackers. Users should back up their data before attempting to use the decryptor to ensure data integrity.