Attackers used the vulnerability in vBulletin to hack Comodo forums: 245,000 users were affected.
Last week, an exploit for the 0-day vulnerability CVE-2019-16759 in the vBulletin forum engine was published on the network. This bug allows an attacker to execute shell commands on a vulnerable server.Moreover, an attacker just needs to use a simple HTTP POST request and does not need to have an account on the target forum, that is, the problem belongs to the unpleasant class of pre-authentication vulnerabilities.
Information security experts have already noticed that attackers quickly adopted the bug. Although the developers of vBulletin fixed the problem last week, not all users managed to upgrade so far.
Read also: Botnets actively exploit vBulletin critical vulnerability discovered last week
It became known about the first major victim of this vulnerability: Comodo announced the compromise of its forums. The hacking occurred on September 29, 2019 (almost four days after the release of the patch), and attackers were able to access information from 245,000 users.
“An unknown attacker exploited the recently discovered vBulletin vulnerability and potentially gained access to the forums database. User accounts on the forums contain information such as username, name, e-mail address, last IP used to access the forums and if used, potentially some social media usernames in very limited situations. All user passwords in the database were stored encrypted. Comodo forums currently have approximately 245,000 registered users”, — report in Comodo.
It seems that the hacking affected a forum located on forum.itarian.com (ITarian) and running vBulletin, while forums.comodo.com running Simple Machines Forum was not affected. However, representatives of Comodo write that hackers could infiltrate both forums, as both “are in the same segment of the company’s infrastructure.” One theory is that criminals hacked into ITarian then used stolen credentials and infiltrated other company forums.
As a result of the hacking, third parties could get logins, email addresses, names, hashed passwords, last used IP addresses, and in some cases information about user accounts on social networks.
The Bleeping Computer publication notes that a database containing the data of 170,000 users of the Comodo forums was put up for sale on the black market, with passwords protected by an unreliable MD5. The seller of the base claims that the data was received on September 29th.
Registration on the affected forums is temporarily disabled, and Comodo representatives apologize to users and assure that currently all security problems have already been eliminated.
As a precautionary measure we recommend that forum users should immediately change their passwords and exercise good password practices such as strong random passwords and not share your passwords across different Internet accounts. The account passwords were encrypted in vBulletin for the Comodo Forum users, but a password change is recommended as part of good password practices.