cPanel and WHM Vulnerability Easy to Exploit With Dark Web Credentials

December 15, 2020 • Charity Wright

Web hosting platforms such as cPanel and WebHost Manager (WHM) are prime targets for cybercriminals, giving them access to hundreds of websites and the valuable data ingested by their users, including personally identifiable information (PII), personal health information (PHI), credit card data, login credentials, and much more. Sophisticated malware is no longer needed to gain access to these web hosting platforms. Instead, cybercriminals can exploit a recently disclosed two-factor authentication (2FA) vulnerability using valid credentials, which can easily be purchased from dark web markets. Recorded Future demonstrates the simple process that threat actors use and the importance of patching web hosting technology to protect organizations around the world from data theft.

cPanel Vulnerability: TSR-2020-0007, SEC-575

On November 24, 2020, Digital Defense researchers disclosed a vulnerability impacting the cPanel and WHM software suite used by customers to manage over 70 million domains worldwide. Based on the findings, a 2FA vulnerability was found in cPanel and WHM version 11.90.0.5 (90.0 Build 5) that allowed attackers to bypass the security of accounts which could lead to taking control over the target’s domains. To successfully exploit this flaw, attackers would need the valid credentials of the target, which can be obtained either through the use of phishing attacks or a purchase of cPanel credentials from an underground source. According to cPanel, the vulnerability allows an attacker to repeatedly submit 2FA codes.This brute force technique enables the attacker to bypass two-factor authentication checks. Failed validation of the 2FA code is then treated as a failure of the account’s primary password validation and is rate limited by cPHulk.

Obtaining Valid User Credentials From the Dark Web

Threat actors in criminal underground forums are actively discussing this vulnerability and other exploits used to compromise cPanel, making valid cPanel credentials a valuable commodity right now. Threat actors are actively exploiting this vulnerability through the use of stolen credentials for unauthorized access to the cPanel accounts and brute forcing the 2FA process to gain access and then sell access to the victims. For hackers familiar with the criminal underground, it would take only a matter of minutes to select the cPanel access or credentials they want to purchase, contact the seller, pay using cryptocurrency, and have the tools in hand. From there, they will use the credentials to login and brute force the 2FA process to gain access to the victim’s cPanel dashboard and take control of the victim’s domains.

Underground Forum

Figure 1: Underground forums boast hundreds of cPanel hacking tools for sale at low prices (Source: Raid Forums)

Simple searches on dark web forums reveal hundreds of cPanel “checkers”, “crackers”, credentials, and accesses for sale. One forum currently has over 5,900 cPanel accesses for sale, as seen in the screenshot below.

cPanel Access Being Sold

Figure 2: cPanel accesses being sold via dark web forum (Source: odin[.]to)

Buyers are able to narrow their choices down by the host country, host company, IP blacklist, domain SEO information, seller, source, price, and more.

cPanel Access Being Sold

Figure 3: cPanel access sold on a dark web forum with options, checkers, prices, geolocations offered (Source: odin[.]to)

The organizations at greatest risk for these exploits are those that have not patched this vulnerability and are not conducting brand monitoring in these underground forums and markets.

Recommendations

Recorded Future recommends the following steps for defending against this particular vulnerability and others like it:

  1. Patch this vulnerability by updating to versions 11.92.0.2, 11.90.0.17, and 11.86.0.32. cPanel released patches for the vulnerability tracked as SEC-575 on November 17, 2020, after Digital Defense privately reported their findings. The patches were applied to updated cPanel and WHM software versions.
  2. Monitor criminal underground sources for mentions of employee and customer credentials for sale. Proactively reset compromised credentials, especially those related to cPanel logins and web application management.
  3. cPanel users should not disable 2FA for their cPanel accounts. Instead, request that the web hosting provider updates the cPanel installation to the latest version.
  4. Refer to cPanel’s security website for further information and updates on risk scores related to this vulnerability.

New call-to-action