Fallout Continues on vBulletin Data Breach

Fallout Continues on vBulletin Data Breach

As news of the data breach at vBulletin.com and vBulletin.org made mainstream media news, it has left a lot of system administrators and forum administrators extremely nervous since almost one million usernames, emails, and passwords have been compromised.

Possible 0-Day?

Several news outlets have reported there is a Zero Day Remote Code Execution vulnerability affecting all iterations of vBulletin 4.x and vBulletin 5.x series that allows an attacker to execute arbitrary code on the server remotely.

The exploit is being sold for roughly $7,000.00 USD, payable only in virtual currencies Bitcoin and WebMoney. According to Brian Krebs at KrebsonSecurity, at least one individual has made the purchase.

As added proof of concepts, the following screenshots of the vBulletin database, sever shell, and tables have been released. We can confirm that the database information is indeed legitimate.

Historically when an exploit is sold, the exploit itself is, for the most part, tested and validated as a working exploit.

Several vBulletin forum communities, including the DEF CON Conference Forums, have been taken offline because of the vBulletin 0-Day in the wild and have chosen not to return until a patch is released.

Other forum communities have begun the massive task of migrating away from vBulletin as the issue appears to be growing exponentially.

Earlier yesterday, when confronted by vBulletin customers, it was unveiled that the attackers had access to the Magento customer database, which gave attackers access to customer billing addresses. Whether the access was utilized or not is still up for debate, however logs indicate that they were not accessed.

vBulletin Solutions, a wholly owned subsidiary of Internet Brands, denied the allegations of a real 0-day threat to vBulletin.

“Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin.

“These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software.” wrote Wayne Luke, vBulletin Technical Support Lead.

Whether this attack is related to the MacRumors.com data breach earlier in the month is still being debated among vBulletin customers given that MacRumors was running an older version of vBulletin.

Prepare for an attack?

For websites currently utilizing vBulletin, we recommend that all web application firewalls and defenses for servers hosting vBulletin be tuned to a much higher setting until the situation resolves. Server administrators are also encouraged to enable verbose logging to help with the incident response process.

Alternatively, vBulletin customers may choose to seek an alternative forum solution of their choosing.

More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

Approximately 401,120 vBulletin.com and 503,204 vBulletin.org member accounts who post on each respective site are being asked to change their passwords after accounts on both websites were compromised in an attack.

How many victims? About 900,000

What type of personal information? Usernames, email addresses, and hashed passwords. It is unknown at this time if members area information and any personal identifiable customer information is at risk.

What was the response? An investigation is ongoing internally. Wayne Luke, vBulletin Technical Support Lead, posted about the attack, alerting users of the data breach and is encouraging users to update their passwords.

Details of attack: A development server, mainly used for quality assurance, was successfully broken into during the summer. Sometime between the summer and early October, the attackers successfully gained access to the primary database server, installed Adminer (formerly phpMinAdmin) and accessed the vBulletin.com and vBulletin.org user tables. At the conclusion of the attack, they deleted Adminer.

The log files that were examined do not show any attempted access of customer data in the support system and that they targeted the vBulletin user table. The log integrity is in question given that the attackers did delete evidence of their presence.

Quote: “We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Source: vBulletin.com and vBulletin.org

#AmericanBlackout is really #AmericanFUD

#AmericanBlackout is really #AmericanFUD

How good (or rather how bad) was National Geographic’s American Blackout? I would argue pretty bad, even if the film was accurate.

On Sunday Night, National Geographic debut a fictional, cynical, survivalist movie on how Americans would react if there was an extended power outage due to a cyber attack that knocks out power for the entire nation.

The movie was largely billed as “the story of a national power failure in the United States caused by a cyber attack — told in real time, over 10 days, by those who kept filming on cameras and phones. You’ll learn what it means to be absolutely powerless. Gritty, visceral and totally immersive, see what it might take to survive from day one, and who would be left standing when the lights come back on.”

It was nothing more than 120 minutes of needless panic, despair, all designed to stir up fear, uncertainty, and doubt while selling advertisements for survivalist products and other doomsday television series on National Geographic. Largely, American Blackout had familiar themes found in NBC’s television series Revolution.

It was 120 minutes that could have been better spent catching up on sleep or an activity of choice. For those who missed it, consider yourselves fortunate.

First, forget the fact that the cyber attack at most made up five minutes of the entire movie. Some of the facts were simply downright wrong, such as the fact that the North American grid is interconnected between Canada and Mexico. Granted the grids can be separated like it did in 2003 during the North East Blackout, any widespread loss of power would have affected our neighbors to the north and south. We clearly saw how the 2003 North East Blackout affect both Canada and the United States. Moreover, we also know that there likely be select pockets of power online within a relative short period of time. Again, see the 2003 North East Blackout for examples.

Assuming a massive nation-state sponsored successfully coordinated a cyber attack on one part of the North American Electrical Grid, it would not personally surprise me that utilities across the country would respond appropriately to defend themselves. Moreover, a cyber attack of this magnitude would create massive ripples in a matter of hours in the global economy.

The storyline is plausible, only because anything is possible, but it is extremely unlikely and farfetched at best. The storyline itself could have used a number of alternative plots to illustrate the consequences of a long-term power outage.

But more importantly, it was a massive missed opportunity to share and educate how vulnerable any organization or any technology we employ, including the electrical grid, is from a cyber attack. Alas, they rather spend 5 minutes of a 120 minute movie citing a cyber attack that took humanity to the brink of self-destruction.