PSAUX Ransomware Exploits RCE Flaws in CyberPanel
A recent surge of PSAUX ransomware attacks has exploited vulnerabilities in CyberPanel, affecting over 22,000 instances worldwide. Security researcher DreyAnd identified that versions 2.3.6 and possibly 2.3.7 are at risk due to several critical flaws. These include improper authentication, allowing unauthorized access to certain pages; command injection vulnerabilities, enabling attackers to execute arbitrary commands; and weak security filters that attackers can bypass using specific HTTP methods. Together, these issues open the door to remote code execution (RCE) at the root level, effectively handing over full control of the server to attackers. In response, CyberPanel quickly released version 2.3.8, addressing these vulnerabilities. Users are strongly advised to upgrade to this latest version immediately to secure their systems and prevent further exploitation, as threat actors continue to target unpatched servers aggressively.
North Korean Andariel Group Exploits RDP to Deploy Play Ransomware
The North Korean hacking group Andariel has been linked to a recent Play ransomware attack, leveraging Ransomware-as-a-Service (RaaS) to evade international sanctions. Reports from security researchers at Palo Alto Networks suggest that Andariel may function as either an affiliate or an initial access broker, providing compromised network access to deploy Play ransomware. The group initially gained access to its target’s network in May 2024 through a compromised user account, utilizing Remote Desktop Protocol (RDP) to establish control. Over several months, they reinforced their network presence by deploying tools like Mimikatz for credential theft, the Sliver framework for command and control, and their signature malware, DTrack. In September, they executed the Play ransomware encryptor, encrypting numerous devices. This pattern aligns with the RaaS model, allowing affiliates to profit through ransom payments while evading sanctions. This tactic reflects a broader trend among state-backed groups seeking funding through ransomware operations.
LottieFiles Supply Chain Attack Targets Cryptocurrency
LottieFiles responded swiftly to a supply chain attack that compromised its Lottie-Player script, embedding a crypto drainer designed to steal users’ cryptocurrency through fraudulent wallet prompts. The attack affected versions 2.0.5 to 2.0.7, with the script prompting website visitors to connect their crypto wallets, leading to asset theft. LottieFiles’ incident response included releasing a secure version, 2.0.8, which reverted to the clean 2.0.4, and advising users to update immediately. For those unable to upgrade, staying on version 2.0.4 was recommended as a preventive measure. This incident highlights the increasing vulnerability of SaaS tools in supply chain attacks, with LottieFiles actively working with external experts to further investigate and secure their platform. Developers impacted by the breach were urged to notify end users to avoid fraudulent wallet connections, underscoring the growing risks crypto drainers pose to the cryptocurrency community.
qBittorrent Vulnerability Exposed Users to Man-in-the-Middle Attacks for 14 Years
A newly patched flaw in qBittorrent has addressed a vulnerability that left users open to man-in-the-middle (MitM) attacks for over 14 years. This issue arose from the DownloadManager component’s failure to validate SSL/TLS certificates, allowing any server—including malicious ones—to present illegitimate certificates. Attackers positioned in a MitM scenario could intercept and manipulate qBittorrent’s network traffic, modifying or injecting harmful data undetected. Exploiting this, an attacker could prompt users to install compromised software or modify update feeds to deliver malicious payloads. Additionally, the vulnerability allowed for the insertion of malicious links within RSS feeds and the downloading of altered GeoIP databases, which could potentially trigger memory overflow exploits. Although often underestimated, MitM attacks are particularly concerning in regions with heavy surveillance. Version 5.0.1 of qBittorrent, released recently, includes a fix that finally validates SSL certificates, making it essential for users to update.
Hackers Exploit Critical Zero-Day Vulnerabilities in PTZ Cameras
Two zero-day vulnerabilities in PTZOptics pan-tilt-zoom (PTZ) cameras have made them prime targets for hackers, enabling exploitation in sensitive environments like industrial facilities, healthcare, government offices, and courtrooms. Discovered by GreyNoise in April 2024, the vulnerabilities, CVE-2024-8956 and CVE-2024-8957, allow attackers to bypass weak authentication and execute command injections. The first zero-day flaw permits unauthorized access to the camera’s CGI API, revealing usernames, MD5 password hashes, and network configurations. The second zero-day vulnerability allows attackers to inject malicious commands through unsanitized inputs, leading to potential full control of the camera. Exploits could result in camera takeover, bot infections, network pivoting, or disruption of video feeds. While PTZOptics released some security patches, certain models, including PT20X-NDI-G2, remain unpatched due to end-of-life status. GreyNoise continues to caution that these zero-day vulnerabilities might affect a broader range of devices, urging users to verify firmware updates with their vendors.
HACLA Targeted Again: Cactus Ransomware Breach Follows Previous LockBit Attack
The Housing Authority of the City of Los Angeles (HACLA) recently confirmed a cyberattack by the Cactus ransomware gang, marking another breach after a previous incident involving LockBit ransomware. HACLA, which provides essential housing assistance to low-income individuals in Los Angeles, stated that it engaged external forensic IT experts upon learning of the attack. The Cactus ransomware group claims to have stolen 891 GB of sensitive data, including personal identifiable information, database backups, financial documents, and corporate correspondence, some of which has already been posted on their leak site as proof.
This is not HACLA’s first encounter with a ransomware variant; in 2023, HACLA disclosed a breach by LockBit, revealing that attackers had maintained network access for nearly a year before deploying encryption. During that attack, LockBit reportedly accessed and leaked extensive personal data after HACLA declined to pay a ransom. The recent Cactus breach underscores ongoing challenges in securing public sector organizations against sophisticated ransomware groups.
Conclusion
In conclusion, the growing sophistication of ransomware groups like Cactus and LockBit underscores the urgent need for organizations to strengthen their defenses and have a response plan in place. With public sector entities increasingly targeted, comprehensive cybersecurity strategies are essential to prevent data breaches and minimize disruptions.
As experts in ransomware recovery and cybersecurity, we provide specialized services to help organizations navigate ransomware incidents. Our Ransomware Recovery Services assist with data restoration and system security, while our Ransomware Negotiation Services and Ransomware Settlement Services support organizations in reducing ransom demands and settling attacks efficiently. If your organization is facing a ransomware crisis, contact us today to regain control and secure your operations.