Attack on vBulletin board password stokes concerns of wide-ranging zero-day hacks

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.scmagazineuk.com/attack-on-vbulletin-board-password-stokes-concerns-of-wide-ranging-zero-day-hacks/article/451761/

Software vendor rushes out security patch hours after breach of
infrastructure
Vbulletin hack will have widespread implications

A security patch has been hastily issued for the Vbulletin board forum
software, after a hack on the developer's website leaked sensitive password
data and other information on nearly half a million subscribers.

The firm has put in place a mandatory password reset for all users
<http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4332165-vbulletin-com-password-reset>
following
the discovery that its infrastructure had been breached.

" Very recently, our security team discovered a sophisticated attack on our
network. Our investigation indicates that the attacker may have accessed
customer IDs and encrypted passwords on our systems," the firm said. "We
have taken the precaution of resetting your account password. We apologise
for any inconvenience this has caused but felt that it was necessary to
help protect your account."

It said that users should select a password they don't use elsewhere.

In a separate post
<http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4332166-security-patch-release-for-vbulletin-5-connect-versions-5-1-4-through-5-1-9>,
the firm referred to a security patch for versions 5.1.4 through 5.1.9 of
the vBulletin Connect software.

This was in response to a hacker called "Coldzer0" who boasted about their
alleged exploits on various websites. The hacker has also uploaded a video
to YouTube and posted data on Facebook. Both of these uploads have since
been deleted.

In a post
<http://www.databreaches.net/vbulletin-foxit-software-forums-hacked-by-coldzer0-hundreds-of-thousands-of-users-info-stolen/>
co-authored
with @Cyber_War_News, the hacker also claimed to have breached Foxit
Software forums, using the same vulnerability. With the breach, the hacker
said they had obtained 260,000 of Foxit's 537,000 user accounts and
questioned why their hacking attempts had not been detected.

Coldzer0 is believed to have collected personal data belonging to some
479,895 users from the two attacks. The data taken included user ids, full
names, email addresses, security questions and corresponding answers (both
in plain text) and salted passwords.

There is little detail as to how the hack took place at present other than
the hacker taking advantage of a zero-day exploit. According to a report by Ars
Technica
<http://arstechnica.com/security/2013/11/password-hack-of-vbulletin-com-fuels-fears-of-in-the-wild-0-day-attacks/>,
a similar breach occurred, which vBulletin said was down to an insecure
system used for testing vBulletin mobile applications, and not a zero-day
vulnerability.

Jonathan Sander, vice president of Product Strategy at Lieberman Software,
told *SCMagazineUK.com* that the hack of a bulletin board is useful to
hackers as the usernames and passwords people use for one site, even a
bulletin board, may be the same they use for their bank, their credit cards
or their Apple ID.

“With that I can steal money, clone their credit cards, or pirate tons of
movies for free. Since vBulletin was widely used even by boards that are
considered secure like the boards over at the Defcon.org
<http://defcon.org/> security focused forums, this may be an opportunity
for bad guys to get things they would not normally get from careful
people,” he said.

“There's also an element of reputation. Many exploits are more like
graffiti than breaking and entering. This may be someone making a
reputation, and we see someone taking very public credit for it."

He added that the people most likely to be affected by the hack would be
the site admins “who will be sucking down caffeine as they patch, retool,
and attempt to mitigate any damage caused by this. The effects on the users
who had their details stolen will be a long tail that will dribble out over
time."

Sander said that for organisations concerned about how the hack might
affect them would be to take stock of things.

“Are you using vBulletin? Are you sure you're not? You had better be,” he
warned. “Only once you know where and if you are affected can you do
anything else. Right now even the security experts over at Defcon.org who
were using vBulletin have opted to simply shut down the affected sites and
wait to see what happens."

Tod Beardsley, security research manager at Rapid7, told SC that it
appeared that the attack was due to a SQL injection bug in vBulletin's
forum software.

“A patch has been released, and while it appears to resolve the issue that
led to the vBulletin Solutions compromise, the company has not yet issued a
statement that ties the attack and the patch together. Hopefully, vBulletin
Solutions' response to the incident will provide more detail for their
customers, sooner rather than later,” he said.

Beardsley added that organisations that rely on vBulletin to power their
community forums should apply this patch immediately.

“vBulletin is a popular target, since compromising a forum site can provide
an effective platform for a watering hole attack. In a watering hole
attack, customers of a particular company, or users that share a common
interest, can be effectively targeted via the trusted, but now compromised,
website. vBulletin itself is a popular community and forum platform, so an
unpatched bug in the platform can expose those downstream users to serious
risk,” he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!