Roughly 35,000 websites that use the proprietary internet message board software vBulletin have been compromised by attackers who took advantage of an exploit addressed quietly by the forum's technical squad at the end of August.
The root cause of the vulnerability has not been disclosed by the vBulletin team – a tech support lead recommended in late August that users delete the “4.X - /install/” and “5.X - /core/install” install directories – but data security company Imperva conducted research and made a few discoveries.
“The vulnerability [we] found allows any attacker, even a simple attacker, to send a message to a vBulletin website and the effect of that attack is that the website now has a new admin account,” Barry Shteiman, director of security strategy with Imperva, told SCMagazine.com on Wednesday.
Once a user has control of an admin account they can do whatever they want, Shteiman said, explaining he has seen affected sites – some of them Fortune 1000 companies – that have been defaced, injected with malware and drive-by malware, joined into botnets, and used as hijacked zombie servers.
“You can't get higher than admin on any system,” Shteiman said, explaining that the severity of the attack is amplified because the process has been simplified into a couple of tools. These malicious virtual instruments can be downloaded via hacker forums and activated at the press of a button, and the tools even have a clean user interface.
The first tool creates an administrator named Th3H4ck, Shteiman said, explaining that roughly 30,000 websites were compromised in this initial form of the attack. The creator of the second tool – said to be a researcher known on Twitter as @docindetectable – went the sneaky route in having the tool create a less suspicious administrator, named “supportvb,” which has affected roughly 5,000 sites.
Shteiman said he was able to find out which sites were affected using simple Google searches, which, incidentally, is the same way attackers were able to discover what sites were vulnerable. The popular search engine can locate keywords in websites, so all the attackers needed to do was look up identifiers for vulnerable versions of vBulletin.
Shteiman said the hacker likely searched Google using a botnet because of how long it would take a user to conduct searches for more than 30,000 vulnerable websites, adding the attacker would probably be able to grab 10 to 50 websites before Google's security feature popped up with a CAPTCHA asking the user to prove they are human.
“If you're using third-party software that you haven't written in-house, make sure you constantly check for updates and security issues,” Shteiman said, adding this application security problem is not being addressed with the sense of urgency it deserves. “I expect a vendor to come out and tell its customers, 'We have a major vulnerability.'”