PSAUX Ransomware
Background on the CyberPanel Vulnerability
CyberPanel, an open-source control panel solution, was found to have multiple vulnerabilities in version 2.3.6, and possibly 2.3.7, which enabled attackers to remotely execute malicious code without authentication. A security researcher, who initially identified these flaws, demonstrated a proof-of-concept exploit that granted root-level remote command execution on affected servers. The key security issues in CyberPanel included:- Defective Authentication: CyberPanel’s authentication process was fragmented across different pages, failing to use a centralized authentication system. This left several pages, such as upgrademysqlstatus, exposed to unauthorized access.
- Command Injection: Improper sanitization of user inputs allowed attackers to inject and execute arbitrary system commands.
- Security Filter Bypass: The system’s security middleware only filtered POST requests, leaving other HTTP methods like OPTIONS or PUT vulnerable to bypass, allowing unauthorized command execution.
PSAUX Ransomware Attack
Once the vulnerabilities were disclosed, threat actors rapidly exploited them to deploy PSAUX ransomware across exposed CyberPanel instances. PSAUX, which has been active since June 2024, is known for specifically targeting exposed web servers through vulnerabilities and configuration weaknesses. In this attack, PSAUX used the newly discovered CyberPanel flaws to gain access to servers and encrypt files. Upon infiltration, PSAUX ransomware executed scripts that utilized an AES key and Initialization Vector (IV) to encrypt files on the compromised server. The ransomware also left ransom notes titled index.html in each folder and placed the note in /etc/motd to display whenever users logged in. The AES key and IV were encrypted with an RSA key and stored as /var/key.enc and /var/iv.enc to prevent unauthorized decryption.A ransom of 200 dollars is demanded in cryptocurrency, yet it did not specified any wallet. Mitigation and Decryption Following the attack, LeakIX discovered the scripts used by attackers to exploit the vulnerability and execute the ransomware. This included a script named ak47.py for the initial exploit and actually.sh for file encryption. While the PSAUX ransomware typically locks down files securely, researchers have identified a potential vulnerability that may allow for decryption without paying the ransom.
LeakIX has now released a decryptor tool that could assist affected users in restoring their files. However, caution is advised when using the decryptor, as using incorrect encryption keys could lead to data corruption. It’s recommended that users create backups of their encrypted data before attempting decryption.
Recommendations for CyberPanel Users
Due to the active exploitation of these vulnerabilities, all users are strongly encouraged to upgrade CyberPanel to the latest version (2.3.8 or above). This version includes fixes for the critical security gaps exploited in the PSAUX ransomware attack, reducing the risk of future compromises. In addition, security practices such as regular patching, comprehensive input validation, and continuous monitoring are vital in safeguarding against similar attacks. As ransomware threats continue to evolve, proactive steps toward securing server infrastructure are critical to minimizing exposure to future threats.PSAUX Ransomware Sample Signatures
Family: Trojan-Ransom.Shell.Agent.n MD5: 63532e918fb7beb9dc092cd14d9fa922 SHA256: 4662bb85571c70230ce5d69c594a40a30cb3f1e2664234fe7a8fd9a406ac94ab
PSAUX Ransomware Sample Download
Click to Load Comments
