Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

October 29, 2024 at 03:17PM

Over 22,000 CyberPanel instances faced a critical vulnerability exploited in a PSAUX ransomware attack, taking most offline. Security flaws in versions 2.3.6 and possibly 2.3.7 were identified, including defective authentication and command injection. Users are urged to upgrade immediately to mitigate risks and access potential decryption aid.

### Meeting Takeaways:

1. **CyberPanel Vulnerability**:
– Over 22,000 CyberPanel instances were targeted in a ransomware attack due to critical remote code execution (RCE) vulnerabilities.
– Specific vulnerabilities identified in CyberPanel 2.3.6 include:
– **Defective Authentication**: Authentication checks are not centralized, exposing some pages to unauthorized access.
– **Command Injection**: Lack of input sanitization allows attackers to execute arbitrary commands.
– **Security Filter Bypass**: The security middleware only processes POST requests, leaving other methods vulnerable.

2. **Exploitation Details**:
– Researcher DreyAnd demonstrated remote command execution capabilities, potentially affecting version 2.3.7 as well.
– Issues were disclosed to CyberPanel developers on October 23, 2024. A fix was submitted on GitHub that same evening.

3. **PSAUX Ransomware Attack**:
– The number of vulnerable CyberPanel instances exposed was initially reported as over 21,000, with nearly half located in the U.S. This number drastically decreased to about 400 instances overnight.
– PSAUX ransomware exploits these vulnerabilities to encrypt files on affected servers and leaves ransom notes.

4. **Ransomware Operation**:
– PSAUX has been active since June 2024, targeting misconfigured web servers.
– A significant flaw in the ransomware’s encryption process (using a private RSA key instead of a public key) may allow for potential file recovery.

5. **Recommendations**:
– Affected users should immediately upgrade to the latest version of CyberPanel available on GitHub to mitigate risks.
– CyberPanel developers have yet to announce a new version or CVE related to this issue.

6. **Next Steps**:
– Await response from CyberPanel regarding future security announcements or updates.
– Encourage users to assist with the potential recovery of encrypted files by sharing decryption samples.

Full Article