Threat actors started exploiting vulnerabilities discovered in CyberPanel within hours of their disclosure, leading to thousands of instances being hit by ransomware and cryptocurrency miners.
CyberPanel is a popular free web hosting control panel. A researcher who uses the online moniker DreyAnd recently discovered that the software is impacted by vulnerabilities that can be exploited for unauthenticated remote code execution.
DreyAnd reported his findings to CyberPanel developers, who created patches on October 23. A few days later, on October 27, the researcher disclosed the technical details of his findings, along with proof-of-concept (PoC) code.
LeakIX, a company that finds vulnerable systems online, started monitoring CyberPanel instances the next day and by October 29 it had already confirmed mass exploitation.
According to LeakIX, there were roughly 22,000 instances online on October 28, roughly half of which were located in the United States. By the next day, the number dropped to a few hundred, but not because the instances were patched but because they were hacked and were no longer reachable.
The 20,000 CyberPanel instances that were compromised reportedly cover roughly 200,000 websites.
An analysis showed that the vulnerable CyberPanel instances were targeted in Psaux ransomware attacks. The attackers encrypted files on the compromised servers and demanded a ransom in exchange for a decryptor.
The most recent update from LeakIX revealed that as many as three ransomware groups have targeted CyberPanel instances, each encrypting files, in some cases including files that were previously encrypted by other ransomware.
Advertisement. Scroll to continue reading.
A decryptor has been created for the Psaux ransomware and researchers are working on creating decryption tools for the others. In some cases a buggy encryption method used by Psaux “crashed everything”, according to LeakIX.
In addition, LeakIX reported seeing cryptocurrency miners being deployed on some of the compromised servers.
In response to criticism over his hasty disclosure, DreyAnd has admitted dropping the ball, arguing that he had no idea so many hosts would be impacted by the vulnerabilities. He also noted that CyberPanel developers allowed him to publicly disclose the findings.
CyberPanel developers have assigned the CVE identifiers CVE-2024-51567 and CVE-2024-51568. In a notice to customers, CyberPanel provided recommendations on patching and incident response, and also shared its side of the story.
“When the experts informed us about the issue, we immediately reviewed their findings and released a security patch within 30 minutes,” CyberPanel said. “They later advised us to announce this issue publicly, but we requested to hold off to allow users time to update for security reasons. Though we didn’t initially announce it, a routine update included the security patch.”
Ultimately this incident seems to be the result of poor communication between the security researcher and the vendor, with users having to pay the price.
Related: Critical TeamCity Vulnerability Exploitation Started Immediately After Disclosure
Related: Kaspersky, Pango Respond to User Backlash as Transition to UltraAV Nearly Complete