Threat actors abuse a known Control Web Panel (CWP) vulnerability to remotely initiate reverse shelling and malicious code execution.
Researcher Numan Türle from Gais Cyber Security released a video on YouTube demonstrating how the vulnerability could be exploited. After three days, the researchers noticed a slight spike in abuse of the flaw, which was tracked as CVE-2022-44877, and carried a severity score of 9.8/10 – critical.
The fix for the vulnerability being abused was released in late October 2022, but since a security researcher published a proof-of-concept (PoC), hackers have been picking up speed.
The potential attack surface is very large. CloudSek, which has analyzed the PoC, says that running a search of CWP servers on Shodan returns more than 400,000 states that can be accessed online. While it is not clear that all of these are at risk, it does show that the defect has quite destructive potential. Furthermore, Shadowserver Foundation researchers claim that around 38,000 cases of CWP appear every day.
endpoints (Opens in a new tab) Those that are truly vulnerable, the researchers say, are being exploited to produce a reaction plant. Upon starting a reverse shell, hackers would convert the encrypted payloads into Python commands that would access the attacker’s hardware and create a terminal using the Python pty Module. However, not all hackers are that fast — some are just scanning for vulnerable devices, possibly to prepare for future attacks, the researchers speculate.
The worst thing about CVE-2022-44877 being misused in attacks is that it became very easy, especially after the exploit code was made public. All hackers have to do now is find vulnerable targets which, according to the post, is “a menial task”.
CWP version 0.9.8.1147, which addresses this issue, was released on October 25, 2022. IT administrators are urged to apply this fix, or even better – update CWP to the current version of 0.9.8.1148, which was published in early December.
Via: BleepingComputer (Opens in a new tab)