Flaw already corrected in server management system is used in attacks

Flaw already corrected in server management system is used in attacks

An already patched vulnerability in Control Web Panel (CWP), a server management system, is being used in high-risk remote code execution attacks. Even with the update released in October, the breach still appears in more than 400,000 infrastructures around the world, all susceptible to attacks.

  • Ransomware against Linux servers increased by 75% in 2022
  • In 2023, watch out for extortion attacks and cryptocurrency wallet scams

According to a survey by the digital security company CloudSek, there would be more than 435,000 instances vulnerable to attacks by cybercriminals. Brazil appears in 10th position among the countries with the highest number of openings, a ranking that is led by the United States, Germany and France, according to an Reviews carried out by the Shadowserver Foundation.

The vulnerability, tracked as CVE-2022-44877, was discovered by Numan Turle of Gais Cyber ​​Security and reported to CWP officials in October last year. As stated, an update to the server system came the same month, with the proofs of concept about the attacks being released only now, on January 3rd.

It took just three days for attackers to begin exploiting the breach, targeting still-unupdated systems to establish remote access systems for executing malicious code. This race, which usually happens after the release of important updates, demonstrates an interest in obtaining permanence in systems that are still vulnerable, in addition to carrying out attacks from now on.

In some cases analyzed by Shadowserver, for example, criminals were able to run a reverse shell to open terminals in order to execute code. In others, activities were limited to locating platforms that could be compromised and could become targets of attacks at a later time.

It is a serious prognosis for a failure that, at the time of its original discovery, received a severity index of 9.8, out of a total of 10. The possibility of remote execution of codes without any type of authentication can allow scams ranging from data compromise and espionage to ransomware, with complete server crashes in exchange for ransom.

Therefore, the recommendation is that server administrators with CWP, formerly called CentOS Web Panel, perform the urgent update. The most current version is 0.9.8.1147, which resolves the issue in all versions of the panel and can be applied to systems running any previous iteration of the system.

Source: Bleeping Computer