Posted on January 12, 2023 at 6:05 AM
Hackers have been exploiting a critical flaw recently patched in the Control Web Panel. The security flaw identified as CVE-2022-44877 was rated with a critical severity score of 9.8 out of 10. The flaw allows a hacker to run a code remotely without having the necessary authentication.
Hackers exploit a flaw in Control Web Panel
The security vulnerability was detected on the Control Web Panel (CWP). The CWP is a tool that is used to manage servers. The tool was previously known as CentOS Web Panel before it was rebranded to its current name.
The security vulnerability was revealed by researcher Numan Turle at the Gais Cyber Security firm. Turle reported this issue in October 2022, and he later released a proof-of-concept exploit with a video illustrating how this exploit works and the threat it poses.
Three days after the PoC exploit was made and a video of how the exploit could be conducted was published, cybersecurity researchers detected that hackers were exploiting the vulnerability to obtain remote access to the systems that were yet to be patched. The hackers were also finding out more vulnerable devices that they would exploit.
The CWP version 0.9.8.1147 was released on October 25 last year, and it fixed the flaw that could have compromised users. The flaw can only be exploited in the older versions of the panel, with users that have already upgraded to the recent version being protected from this vulnerability.
A technical analysis for the PoC exploit code published by CloudSek detected that hackers had exploited a significant number of devices. The analysis of this code searched the CWP servers that run on the Shodan platform. The search detected over 400,000 instances of the CWP being exploited and accessed over the internet.
The Shadowserver Foundation also conducted research into this vulnerability. The researchers at the company detected that this vulnerability was being exploited, and they detected that their scans had seen around 38,000 CWP instances happening daily. The figure does not indicate the machines that are vulnerable to the exploit but the number of people detected by the platform.
The extensive exploit of this vulnerability by hackers shows that there is a possibility that the breach could be extensive to users that are yet to upgrade to the latest version. It also shows that most of the population still uses the older CWP version.
Shadowserver also recorded the malicious activity being conducted through these exploits. The malicious activity demonstrated that hackers were looking for vulnerable hosts and exploiting the flaw to detect a terminal for interacting with the vulnerable device.
Hackers use exploit to start a reverse shell
In some of these hacking attacks, the hackers used the vulnerability to start a reverse shell. The hackers converted the embedded payloads into Python commands. The commands would be channeled to the hacker’s machine to link a terminal on the vulnerable host. The hackers completed this action through the Python pty Module.
The other exploits conducted using this flaw looked to identify vulnerable devices. It is yet to be determined whether the scams were conducted by hackers looking to identify whether the vulnerability had been exploited or by hackers looking to identify the machines that could be exploited using the vulnerability.
It looks like the attempts to exploit the vulnerability depended on the original PoC that Numan Turle conducted. The PoC was slightly altered to match the needs of the attacker.
The GreyNoise research company has also detected more attacks on unpatched CWP hosts using IP addresses in the Netherlands, Thailand, and the United States. This showed that the attackers were targeting globally operated machines by users using an older version of CWP.
One of the factors that could be attributed to the large number of attacks that have been conducted by exploiting this vulnerability is that leveraging the flaw is easy. The exploit code has already been made public. Therefore, the only work that a threat actor has to do is to find the vulnerable target, which is an easy task.
Administrators can only take action to protect themselves from this breach by updating the CWP to the latest available version. The upgraded version is 0.9.8.1148, released on December 1, 2022.