vBulletin Flaw exploited

Hi all,

Servers running vulnerable installations of the vBulletin forum software have been targeted in the wild by hackers. The security flaw was patched by the developer earlier this month.

According to Symantec,since 5th November around 2,500 daily attempts to compromise servers by exploiting a serious vulnerability has been observed. The vulnerability has been patched by vBulletin on November 2. The flaw, which can be exploited for remote code execution, affects vBulletin 5 Connect, versions 5.1.4 through 5.1.9.

All account passwords were reset after vBulletin released the patch shortly after a hacker using the online moniker “Coldzer0” defaced the official vBulletin forum using a zero-day vulnerability. It looks like the patch was for the zero-day exploited by Coldzer0, even though vBulletin has not confirmed it as yet.

Malicious actors started exploiting the zero-day in the wild once it were made public on several websites. Apparently the attackers have been first sending out requests designed to identify vulnerable vBulletin installations. When the attackers identify a vulnerable server, they download a malicious shell script to the compromised machine. Using this script sensitive information, including system and network details, user credentials, and private keys from a predetermined list of 130 files and folders are stolen.

The Symantect blog post regarding this vulnerability read:  “By compromising the servers for popular online forums, attackers can potentially carry out many more downstream attacks as these systems often have heavy traffic serving many users. Cybercriminals can use these compromised web servers to booby-trap the website, making it deliver malware to unsuspecting users of the site… Selling or hiring compromised server access to other criminals is also a common way for cybercriminals to generate revenue. There is also a market for servers that can be commandeered for performing distributed denial-of-service (DDoS) attacks against chosen targets. Servers often have a lot of available bandwidth and are prized by attackers who are interested in launching DDoS attacks, making them a valuable commodity on the underground market,”

Symantec data shows that the highest number of exploit attempts was recorded on November 7 which was more than 2,500, The number has steadily declined since, to less than 500 daily attempts daily

Stay tuned for more vulnerability alerts and news

Source: Akati

Comments are closed.