In early November, vBulletin forum software was hacked, typically with the attack on the official website of vBulletin causing a breach of critical data of its customers. vBulletin then issused a security patch and recommended its users update as soon as possible. However, according to Bkav, users are still highly at risk.
Specifically, just before Halloween, a hacker called "Coldzer0" used an SQL Injection to exploit a zero-day vulnerability disclosed by Swedish hacker Exidous to take down the website of vBulletin.com, accessed and stole data. After the attack, the hacker left a message of "Hacked by Coldzer0" in the forum of vBulletin.com/forum/ and uploaded a shell.
vBulletin.com then was inaccessible and displayed a message of down for maintenance in 2 days.
Foxit Software's forum running vBulletin's forum software was also reported to be hacked by the same zero-day vulnerability.
These two attacks posed a big question of the security of other websites running vBulletin's forum software.
On November 3, right after returning online, vBulletin confirmed the attack and stated that customer IDs and encrypted passwords on its systems might have been accessed. It immediately applied a precautionary reset of all passwords, issued security patches for versions of vBulletin from 5.1.4 to 5.1.9 and recommended users update as soon as possible.
However, according to Bkav, the risk for users is still so high. As vBulletin is a web-based platform, the patch is not automatically updated but users have to download the patch manually then update their websites. In addition, as a web-based platform, hackers can reverse the patch and find the location of the vulnerability, then exploiting unpatched systems. In fact, to November 4, the exploit was shared on the Internet. Therefore, users should immediately update their systems to avoid the exploit.
System administrators can also use Bkav's tool dubbed vBulletin Checker to check whether their systems are vulnerable or not. The tool is available here http://tools.whitehat.vn. Click on the link and enter your website URL to check.