Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label active exploitation. Show all posts
Web Hosting
active exploitation cPanel SSH Keys Vulnerabilities and Exploits Web Hosting

Hackers Exploit cPanel Flaw to Gain Control of Thousands of Websites

 

Hackers are still aggressively exploiting a critical bug in cPanel and WHM, the widely used web hosting control software that powers countless websites across the internet. The flaw, tracked as CVE-2026-41940, lets attackers bypass the login screen and seize administrative access to affected servers without a password. Because cPanel is deeply embedded in shared hosting environments, a single compromised server can expose many unrelated websites at once. 

The scale of the problem is large. Security researchers say more than 550,000 cPanel servers may be vulnerable, while roughly 2,000 instances were believed to be compromised at the time of reporting, down from about 44,000 last week. That drop suggests some hosting providers and administrators have already begun cleaning up or blocking attacks, but the threat remains active and widespread. 

What makes the issue especially dangerous is how much control the bug gives to attackers. Once inside, criminals can manage website files, databases, SSL certificates, and other critical settings tied to every site hosted on the server. In practice, that means they can deface websites, install backdoors, steal data, or redirect visitors to malicious pages, all from the control panel intended for legitimate administrators.

The vulnerability has also shown signs of being abused before the public disclosure. One hosting provider reported seeing exploitation attempts as early as late February, well before the issue was officially disclosed and patched. The U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog, confirming that it is being used in real-world attacks and should be treated as an urgent patching priority. 

For site owners, the response needs to be immediate and practical. Systems should be patched to the latest cPanel and WHM releases, exposed login panels should be restricted where possible, and administrators should check for unauthorized users, modified files, suspicious SSH keys, and unexpected database changes. Hosting providers such as Namecheap, HostGator, and KnownHost have already taken emergency steps, including temporarily blocking access while they applied fixes. The wider lesson is that a single authentication-bypass flaw in a core admin tool can become a large-scale internet incident almost overnight.
Read more »
malware
active exploitation Bug Exploit CrossCurve EYWA malware

CrossCurve Bridge Hit by $3 Million Exploit after Smart Contract Flaw


CrossCurve, a cross-chain bridge formerly known as EYWA, has suffered a major cyberattack after hackers exploited a vulnerability in its smart contract infrastructure, draining about $3 million across multiple blockchain networks. The CrossCurve team confirmed the incident on Sunday, saying its bridge infrastructure was under active attack and urging users to immediately stop interacting with the protocol. “Our bridge is currently under attack, involving the exploitation of a vulnerability in one of the smart contracts used,” CrossCurve said in a post on X. 

“Please pause all interactions with CrossCurve while the investigation is ongoing.” Blockchain security account Defimon Alerts said the exploit stemmed from a gateway validation bypass in CrossCurve’s ReceiverAxelar contract. According to the analysis, the contract was missing a critical validation check, allowing attackers to call the expressExecute function using spoofed cross-chain messages. 

By abusing this flaw, the attackers were able to bypass the intended gateway validation logic and trigger unauthorized token unlocks on the PortalV2 contract, resulting in the loss of funds. The exploit affected CrossCurve deployments across several blockchain networks. 

Data from Arkham Intelligence, shared by Defimon Alerts, shows that the PortalV2 contract balance fell from roughly $3 million to nearly zero around Jan. 31. Transaction records indicate the attack unfolded across multiple chains rather than a single network. 

CrossCurve operates a cross-chain decentralized exchange and liquidity protocol built in partnership with Curve Finance. The system relies on what it describes as a Consensus Bridge, which routes transactions through multiple validation layers, including Axelar, LayerZero, and the EYWA Oracle Network. In its documentation, CrossCurve had described this architecture as a security advantage, stating that “the probability of several crosschain protocols getting hacked at the same time is near zero.” 

The incident, however, showed that a single smart contract flaw can still compromise a broader system. The project has backing from prominent figures in decentralized finance. Michael Egorov invested in the protocol in September 2023, and CrossCurve later said it had raised $7 million from venture capital firms. Following the exploit, Curve Finance warned users with exposure to EYWA-related pools to reassess their positions. 

“Users who have allocated votes to Eywa-related pools may wish to review their positions and consider removing those votes,” Curve Finance said on X. 

Security researchers said the attack echoes earlier bridge exploits, drawing comparisons to the 2022 Nomad bridge hack, in which about $190 million was drained after attackers discovered a faulty validation mechanism.
Read more »
vulnerability patch
active exploitation CISA advisory Cyber Security file transfer security Fortra GoAnywhere MFT software exploitation Threat actors vulnerability patch

Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.
Read more »
Subscribe to: Posts (Atom)