Summary:
A critical Remote Code Execution vulnerability in CyberPanel exposed over 22,000 instances online, leading to a large-scale PSAUX ransomware attack that took most affected servers offline. This vulnerability affects CyberPanel versions 2.3.6 and likely 2.3.7 and includes three significant flaws: defective authentication, command injection, and a security filter bypass. CyberPanel's authentication is checked separately on each page rather than through a centralized system, leaving certain pages, such as upgrademysqlstatus, unprotected. Additionally, unprotected pages do not sanitize user inputs, allowing attackers to inject and execute arbitrary system commands.

On October 28, LeakIX reported 21,761 vulnerable CyberPanel instances online, with around 10,170 located in the United States. The next day, the number of exposed instances suddenly dropped to about 400, as threat actors exploited the vulnerability to launch the PSAUX ransomware attack. PSAUX ransomware, active since June 2024, often targets web servers through vulnerabilities or misconfigurations. The ransomware encrypted files by generating unique AES keys and initialization vectors (IVs) for each server, storing keys in encrypted form, and leaving ransom notes.

Security Officer Comments:
LeakIX and cybersecurity researcher Chocapikk obtained two scripts used in the attack: ak47[.]py for exploiting CyberPanel and actually[.]sh for encrypting files. They are investigating a potential weakness in the ransomware's encryption, which may allow decryption without paying the ransom. On October 29, LeakIX released a decryptor for files encrypted in this attack, advising users to back up data before using it to avoid corruption from incorrect keys.

Suggested Corrections:
Due to the active exploitation of the CyberPanel flaw, users are strongly advised to upgrade to the latest version on GitHub as soon as possible.

Decryptor:
https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882#file-0-decrypt-sh

LeakIX has released a decryptor that can be used to decrypt files encrypted in this campaign. It should be noted that if the threat actor utilized different encryption keys, then decrypting with the wrong one could corrupt your data. Therefore, be sure to make a backup of your data before attempting to use this decryptor to first test that it works.

Link(s):
https://www.bleepingcomputer.com/ne...e-attack-targets-22-000-cyberpanel-instances/