Ransomware hits web hosting servers via vulnerable CyberPanel instances

A threat actor – or possibly several – has hit approximately 22,000 vulnerable instances of CyberPanel and encrypted files on the servers running it with the PSAUX and other ransomware.

The PSAUX ransom note (Source: LeakIX)

The CyberPanel vulnerabilities

CyberPanel is a widely used open-source control panel that’s used for managing servers used for hosting websites.

Two critical command injection vulnerabilities (CVE-2024-51378 and CVE-2024-51567) affecting CyberPanel versions 2.3.6 and (unpatched) 2.3.7 have been publicly documented earlier this week by the security researchers – refr4g and DreyAnd – who unearthed and reported them.

The posts were made public just a few days after the panel’s maintainers committed fixes for the two very similar flaws, which allow attackers to bypass authentication requirements and remotely execute arbitrary commands on the server.

The CyberPanel maintainers announced the release of the security patches, but they did not issue a newer version of the software nor assigned CVE numbers to the flaws at that time. The latest CyberPanel version is v2.3.7 and is, as noted earlier, vulnerable if the fixes haven’t been applied by using the upgrade function.

Unfortunately, multiple ransomware groups were quick to jump at the opportunity to exploit one or both vulnerabilities.

According to cybersecurity company LeakIX, on Monday there were nearly 22,000 vulnerable CyberPanel instances exposed online, and on Tuesday that number fell to around 400.

“Looks like someone took some liberty and wiped 20k CyberPanel instances as they all started responding 500s,” the company said.

PSAUX decryptor available

Users that have been hit by the threat actors are searching for answers on CyberPanel’s community forum.

LeakIX has created a decryptor for those who have been hit with the ransomware that appends the .psaux extension to the encrypted files.

“We don’t know if there are multiple groups competing or if they changed their script [to add the .encryp and .locked extensions instead of .psaux],” LeakIX CTO Gregory Boddin says.

The situation is evolving quickly, and we’ll update this article when we know more.