Thousands of CyberPanel instances taken offline in massive ransomware attack

As soon as flaws were spotted, hackers moved in

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybercriminals have taken advantage of multiple vulnerabilities in CyberPanel to installransomwareand force tens of thousands of instances offline. Victims might be in luck though, since a decryption key appears to be available.

A cybersecurity researcher alias DreyAnd has announced finding three major vulnerabilities in CyberPanel 2.3.6, and possibly 2.3.7, which allowed for remote code execution, and arbitrary system commands execution.

They even published a proof-of-concept (PoC) to demonstrate how to take over a vulnerable server.

Decrypting the ransomware

CyberPanel is an open sourceweb hostingcontrol panel that simplifies the management of web servers and websites. It was built upon LiteSpeed, and allows users to manage websites, databases, domains, and emails. CyberPanel is especially popular for its integration with LiteSpeed’s OpenLiteSpeed server and LSCache, which enhance website speed and performance.

This prompted CyberPanel’s developers to issue a fix and post it on GitHub. Whoever downloads CyberPanel from GitHub, or upgrades an existing version, will get the fix. However, the tool did not get a new version, and the vulnerabilities were not assigned a CVE.

As reported byBleepingComputer, there were more than 21,000 internet-connected and vulnerable endpoints out there, roughly half of which were located in the US. Soon after the PoC was published, the number of visible instances dropped to mere hundreds. Some researchers confirmed that threat actors deployed the PSAUX ransomware variant, forcing the devices offline. Apparently, more than a hundred thousand domains and databases were managed through CyberPanel.

The PSAUX ransomware was named after a common Linux process, and targets Linux-based systems. It leverages advanced techniques to avoid detection and ensure persistence, making it particularly dangerous for businesses and organizations running critical applications on Linux servers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

However, the publication later added that a security researcher alias LeakIX released a decryptor that can reverse the damage done by the attack. Still, if the attackers used a different encryption key, trying to decrypt it could corrupt the data, so creating a backup before trying the decryption is advised.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

Cybersecurity is business survival and CISOs need to act now