Fallout Continues on vBulletin Data Breach

Fallout Continues on vBulletin Data Breach

As news of the data breach at vBulletin.com and vBulletin.org made mainstream media news, it has left a lot of system administrators and forum administrators extremely nervous since almost one million usernames, emails, and passwords have been compromised.

Possible 0-Day?

Several news outlets have reported there is a Zero Day Remote Code Execution vulnerability affecting all iterations of vBulletin 4.x and vBulletin 5.x series that allows an attacker to execute arbitrary code on the server remotely.

The exploit is being sold for roughly $7,000.00 USD, payable only in virtual currencies Bitcoin and WebMoney. According to Brian Krebs at KrebsonSecurity, at least one individual has made the purchase.

As added proof of concepts, the following screenshots of the vBulletin database, sever shell, and tables have been released. We can confirm that the database information is indeed legitimate.

Historically when an exploit is sold, the exploit itself is, for the most part, tested and validated as a working exploit.

Several vBulletin forum communities, including the DEF CON Conference Forums, have been taken offline because of the vBulletin 0-Day in the wild and have chosen not to return until a patch is released.

Other forum communities have begun the massive task of migrating away from vBulletin as the issue appears to be growing exponentially.

Earlier yesterday, when confronted by vBulletin customers, it was unveiled that the attackers had access to the Magento customer database, which gave attackers access to customer billing addresses. Whether the access was utilized or not is still up for debate, however logs indicate that they were not accessed.

vBulletin Solutions, a wholly owned subsidiary of Internet Brands, denied the allegations of a real 0-day threat to vBulletin.

“Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin.

“These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software.” wrote Wayne Luke, vBulletin Technical Support Lead.

Whether this attack is related to the MacRumors.com data breach earlier in the month is still being debated among vBulletin customers given that MacRumors was running an older version of vBulletin.

Prepare for an attack?

For websites currently utilizing vBulletin, we recommend that all web application firewalls and defenses for servers hosting vBulletin be tuned to a much higher setting until the situation resolves. Server administrators are also encouraged to enable verbose logging to help with the incident response process.

Alternatively, vBulletin customers may choose to seek an alternative forum solution of their choosing.

More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

Approximately 401,120 vBulletin.com and 503,204 vBulletin.org member accounts who post on each respective site are being asked to change their passwords after accounts on both websites were compromised in an attack.

How many victims? About 900,000

What type of personal information? Usernames, email addresses, and hashed passwords. It is unknown at this time if members area information and any personal identifiable customer information is at risk.

What was the response? An investigation is ongoing internally. Wayne Luke, vBulletin Technical Support Lead, posted about the attack, alerting users of the data breach and is encouraging users to update their passwords.

Details of attack: A development server, mainly used for quality assurance, was successfully broken into during the summer. Sometime between the summer and early October, the attackers successfully gained access to the primary database server, installed Adminer (formerly phpMinAdmin) and accessed the vBulletin.com and vBulletin.org user tables. At the conclusion of the attack, they deleted Adminer.

The log files that were examined do not show any attempted access of customer data in the support system and that they targeted the vBulletin user table. The log integrity is in question given that the attackers did delete evidence of their presence.

Quote: “We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Source: vBulletin.com and vBulletin.org