Exploitation Details
A critical vulnerability in cPanel and WebHost Manager (WHM) is being actively exploited by a threat group called Mr_Rot13. The flaw, which allows attackers to bypass authentication and gain elevated control of the control panel, has been used to deploy a backdoor known as Filemanager on compromised systems.
According to researchers at QiAnXin XLab, within days of the vulnerability’s public disclosure, multiple threat actors began leveraging it for cryptocurrency mining, ransomware deployment, botnet propagation, and backdoor implantation. The researchers noted that over 2,000 unique attacker IP addresses have been involved in automated attacks targeting this vulnerability, with sources primarily traced to Germany, the United States, Brazil, and the Netherlands.
Attack Chain and Impact
The exploitation begins with a shell script that downloads a Go based infector from a remote server. The infector changes the compromised cPanel system’s root password to a hardcoded value, plants an SSH public key for persistent access, and drops a PHP web shell. This web shell enables file upload/download and remote command execution, and also injects JavaScript code that serves a customized login page designed to steal user credentials, which are exfiltrated using ROT13 encoding.
Once credentials are captured, the attack culminates with the deployment of a cross-platform backdoor capable of infecting Windows, macOS, and Linux systems. The infector also collects sensitive information including bash history, SSH data, device details, database passwords, and cPanel virtual aliases, sending the stolen data to a Telegram group created by the threat actor. Organizations using cPanel should apply patches immediately and monitor for signs of compromise.
Source: The Hacker News
