Breach, Data Security, Incident Response, TDR, Vulnerability Management

Zero-day in vBulletin affects members, and MacRumors Forums

A Wednesday MacRumors Forums breach that affected hundreds of thousands is said to be related to a zero-day vulnerability in proprietary internet message board software vBulletin, which was also attacked last week.

Wayne Luke, a technical support lead for vBulletin, took to the forums on Friday to alert hundreds of thousands of members that their account information had been compromised. A hacker group known as Inj3ct0r Team has taken credit for the breach.

“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” Luke wrote in the post. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password.”

Inj3ct0r Team took credit for the attack on its Facebook and Twitter pages – where the group additionally took credit for the breaching of more than 800,000 MacRumors Forums accounts.

“Inj3ct0r Team hacked vBulletin.com and MacRumors.com,” the hacker group posted on Facebook. “We got shell, database and root server. We found a critical vulnerability in vBulletin all versions 4.x.x and 5.x.x. We've got upload shell in vBulletin server, download database and got root. MacRumors.com was based on vBulletin CMS. We use [zero-day] exploit on vBulletin, got password moderator.”

The remote code execution vulnerability is being offered for $7,000, in Bitcoins or WebMoney, on the Inj3ct0r Team website, although the group's site was up and down sporadically throughout Monday afternoon.

Barry Shteiman, director of security strategy with Imperva, told SCMagazine.com on Monday that 15 Bitcoins – a little more than $7,000 – had been transferred to the Inj3ct0r Team Bitcoin address on Nov. 15.

“Bitcoin does something interesting,” Shteiman said. “It keeps logs of every transaction. If you look into logs of transactions, you can correlate them to breaches.”

Shteiman and his colleagues are responsible for researching a vBulletin vulnerability last month that allowed attackers to create new admin accounts, but the Imperva director said this most recent zero-day exploit has nothing to do with the October vulnerability.

When MacRumors Forums were attacked last week, Arnold Kim, MacRumors editorial director, likened the attack to the July breach of Ubuntu Forums. In that instance, an attacker compromised two million accounts after gaining access to a moderator role and taking advantage of vulnerabilities in vBulletin.

“We wanted to prove that nothing in this world is not safe,” Inj3ct0r Team posted on its Facebook page. “The network security is a myth.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.