Sorry.

Added: 2026-05-16

[00:00:00]Sorry is what hackers are saying in this latest ransomware attack. Critical C panel flaw mass exploited in sorry ransomware attacks. Guys, this is so this is so funny to me because I feel like hackers have shifted so dramatically from like 10 years ago where you have like the anonymous. They are hackers on steroids. Never forgive.

[00:00:20]Never forget. And then over time they've gotten like kind of more soft and like normal like you can identify with them almost. like team PCP had a Twitter account where like it's just a cat and then this is a ransomware attack where you open your computer and all of your files are encrypted not with we will hunt your family send us a million Bitcoin it's just all the files are dots sorry what's happening here is they're taking advantage of a very critical c panel bug that we're going to go over here in a second that allows a user to authenticate as root because of input sanitization which in the large year of 2026 should be a felony by now, but it's not. Let's talk about what this is all about and let's go into the bug here. If you're not aware of what C panel is, you're probably a Zoomer. You probably deploy on Versell and you probably are unemployed. But C panel is a tool that is meant to act as kind of a a customization and automation framework for deploying and managing I would say modern but like less than modern preodern web apps. It gives PHP my admin. gives a simpler time where people were deploying PHP applications on Windows with Apache and FTP. Okay, this is what it reminds me of. But cPanel like any web application has a variety of vulnerabilities that have been fixed and patched over time. And this latest one is an absolute doozy. So this is a authentication bypass which I will remind you is kind of one of the only security features on C panel is authentication. Like low-key, this is like the only thing that cPanel has to get right. And it seems like in this case, they didn't get it right, which is honestly insane to me given that we've had basically 30 years of people figuring out Oth. So, how we haven't figured out O already is is insane, but we'll keep going. This is the entire reason, by the way, that companies like Clerk exist. It's literally a company that just does authentication for you, like as a service. Not a sponsor, but hit me up. Now, I'm not going to read the whole thing. I'm going to go over the highlights obviously, but in classic watchdog tower, watchtowwer fashion, their labs have found another insane vulnerability in the internet's infrastructure. And I think in this case, I also used AI to find it. So again, we're seeing a world where more severe, bigger vulnerabilities are being found by already talented exploit professionals that are now using AI to augment their knowledge and find even more critical vulnerabilities. So pretty crazy. Again, I'm not going to go into the whole thing. They call the article here, the internet is falling down, falling down, falling down. I'll link that in the description below. Uh, but in classic Watchtower fashion, they find a vulnerability where basically something something run a Python script and then you set up a session and then bada bing bada boom, you have root on the server. That's insane. This applies to not only C panel, but WHM, which I believe is just another offshoot of C panel. Not sure exactly what it's for.

[00:02:50]Again, I'm going to ride the wave tops here. I'm going to go over the very basic details. You can go read the article yourself if you're interested in the nitty-gritty. Um, but in classic session authentication fashion, which session authentication is a good thing, by the way, right? You're given some unique token by the server that represents a file on the back end. And that file on the back end contains information about you. What's your username? What's your password? What's your IP address? Are you root? What thing are you allowed to access? This is very common authentication patterns. And just like anything else, uh, a lot of user data goes into here. Right now, wouldn't it be a shame if they had some major blunder in the way that they parse user data? Now, you'll notice that there are a lot of fields here that all seem to just be delimited by a new line. Hm.

[00:03:32]Wouldn't it suck if a user could put their own data in here with a new line and say something like has root? Oh, no.

[00:03:39]Okay. Okay, guys. We're good. Don't worry about it. No, we're fine. We actually lucked out. They have a function called filter session data.

[00:03:45]Okay, filter session data. Luckily, you put a new line in there with a password, but the password, it looks into your password and says, "Ah, there's a new line." That's a bad character that could cause an injection of data. We have to remove it. Ah, but they forgot this one simple trick that hackers hate. Carriage return line feed. The old RN as as Prime would call it, the registered nurse. Um, guys, literally all you have to do is insert an RN, a registered nurse, a carriage return line feed into this. And what it allows you to do is inject arbitrary fields into your session data.

[00:04:20]So in the payload that they sent they have x is their password. So again it's user equals blank pass equals blank right. So user equals root password equals x but then after that carriage return new line has root equals 1 TFA verified user equals root. So they overwrite the name of the session CP security token equals some pre-controlled value and successful internal off time stamp equals a time stamp that they were authenticated. So their session is not only valid but it's not expired. Okay. There's a lot of work that goes into this under the hood about how they had to like make sure that it didn't read uh session data from the cache and actually read session data from the actual contents of the file.

[00:04:54]Again, I'm not going to read this for them. Go read it if you want to find out more. Um but yeah, so this is actively being exploited by ransomware groups, right? So SIZA, an agency within the Department of Homeland Security in the US. Um they maintain a catalog called the Kev, the known exploited vulnerabilities, which literally just says like, "Hey, this bug exists and we've observed somebody somewhere throwing it at somebody else." Okay. And in this case, uh, the C panel bug has been thrown in the wild by a threat actor trying to get access to some system. And reeling it all into the very beginning of this video, it's been exploited by a ransomware actor who all they want to do is say sorry. Now, they can't be that sorry, okay? Obviously because um some threat actor again not one likely multiple but somebody some group of people have exploited 44,000 IP addresses where C panel is exposed to the internet guys I don't I literally don't know how it's possible like I'm trying to figure out a network configuration where you're exposing your C panel to the internet I guess like it is a web app so by design you want to do that but for me like even though a web app a network appliance may have like authentication that prevents anybody from being able to use it. All authentication at the end of the day is some form of cryptography and user data parsing that we like again 30 years later, 40 years later have yet to get right completely. So I don't expose anything to the internet except for potentially a VPN concentrator and even then as we've seen recently these things also have vulnerabilities. I'm calling out Avante in particular just because it's top of mind for me. But I think Avanti, also Cisco, also Forinet, all these companies that make VPN concentrators also write code that has vulnerabilities. So it's like even even that is not the best is not a good way to do this. And with the advancements of AI, every day it's more and more likely that your organization might get hacked.

[00:06:44]You got to be prepared. And that's why today's video is sponsored by Threat Locker. Thread Locker is a zerorust platform that allows your organization to stop hackers if they get in. With deny bydefault policies, your organization controls what happens when a compromise occurs. Threater's device dashboard allows you to have visibility of all the devices in your organization.

[00:07:02]When they join your organization, they go through an application control learning period where Thread Locker learns exactly what is required for your device to run. After that control learning period is over, it will deny the rest by default, giving you confidence that untrusted applications aren't running. So that when Frank from engineering inevitably runs, definitely not malware.ps1, Threat Locker blocks it before it even runs. And if they really need to run it, they can put a little message in here where your sock can respond to it as soon as they see it.

[00:07:28]And with Threat Locker's new zero trust network access, you can push network rules down to the device where every connection is intentional and required by the baseline that Threat Locker collects. All traffic is blocked by default unless it matches your rules where you get to control which users can connect, which devices are approved, and which resources are accessible. Guys, you know the rule. The best way to go help the channel out is to go interact with the sponsor. Go give That Locker a shot. And next time zero trust comes up at your company, why don't you mention Threat Locker. Thank you for sponsoring the video, Threat Locker. Let's get back to it. Now, to reel this in and play nice, I want to highlight like this this video was mostly comedic commentary.

[00:07:58]Okay, I'm not actually throwing shade at C panel. It's very important to highlight that like the thing that cPanel is doing here is a very difficult problem to solve in security when you're writing software, right? Like when you when you do this process of writing a parser that takes in user data, you have to consider every potential edge case that could evaluate to the same character as the one you're trying to avoid. Right? So again, they wrote a filter that is trying to create a blacklist that says, hey, these things are not allowed. The new line is not allowed on its own. But then you have to consider every variant of combinations of the new line that that return as a new line when you evaluate them. all Unicode characters in other languages that potentially have the same ASKY value but a different UTF8 or UTF6 encoding and then on top of that just the ability for other parsers that you're not aware of to return a new line like character when evaluated. It's like this this process of writing parsers like this is very complicated. That's why people say like oh don't roll your own off. It's not so much that like cryptography is hard to get right like everyone generally knows like what symmetric versus asymmetric is and like how key exchanges work stuff like that.

[00:09:05]It's more when you do this thing where you create your own like session identity format or like kind of like your own version of a PHP session ID or a JavaScript session ID or a Java session ID, it just enters this really weird domain where you can get so many things wrong and it's so hard to know what combinations of things lead to the bad state you're trying to avoid. You know, on this topic, this is generally why like this meme gets passed around and says this is why whitel lists are better than blacklists, right? So, a white list is a list of things that you are allowed to do, right? It's easier to say, "Hey, you only can ride a skateboard and you only can ride a bike." That is a white list. A blacklist is a list of things that you're not allowed to do, right? So, you're not allowed to ride a bike or rollerblade or roller skate or skateboard or scooter and then homie rides in on a [ __ ] unicycle and technically he's not breaking the law, right? The same kind of idea applies here. Like, yeah, technically we didn't use a new line. We used a carriage return line feed, stupid ass. And that is what allowed us to pop your server and get root. And I know what you're thinking. I just knocked over my whole desk. I know what you're thinking. Uh, would Rust have fixed this? No. R, this is not a problem that I'm really just kind of shocked that nothing fell over and did that. That was really dumb. Um, Rust would not have fixed this in particular, right? We're talking about the uh AvantVPN vulnerabilities. Some of these were buff for overflows, not related to this at all, but like Rust fix memory safety, right? Rust does not fix either logical bugs or bugs in in the parsing of data, okay? In the in the inability to remember that like this exists. Anyway, guys, that's it for now. Thanks for watching. If you're at this point in the video, do me a favor and comment. Sorry.

[00:10:42]And then go check out this other video that I think you will enjoy just as much. I'll see you over there. Sorry.