Tweet
Last night, a "security researcher" published zero day exploit affecting VBulletin Forum software. Within minutes, VBulletin forums were being hacked. At around 2:30 AM MST this morning, the Organ Forum was compromised by this exploit.
I became aware of a problem with the Forum at 5:30 AM MST this morning when I tried to view forum and was met with a 500 network error. In researching the problem, I found that suspicious files had been added to the Forum from which I was able to identify the time of the exploit. Because I was unable to access the Forum directly, I resorted to brute force methods to take the Forum off-line to reduce the possibility of additional damage to the site and its visitors. I spent the past 8 hours or so cleaning up the mess by removing suspect files and applying a patch that VBulletin made available early this afternoon.
Here's some further information in the form of Questions & Answers.
What is a Zero Day exploit?
A zero day exploit is a method to breach software that was previously unknown. Because of this, no security measures to combat it are in place.
Why was the Organ Forum Targeted?
The Organ Forum was not specifically a target for attack. Any site running the most recent versions of the VBulletin software were vulnerable. Attackers ran automated scripts that probed the Internet for VBulletin based forums and installed the exploit on vulnerable versions.
Why was the Organ Forum running vulnerable software?
The Organ Forum always runs the most up-to-date version of software available. In fact, the Forum's software was updated to the most current version of VBulletin just last week. Because this was a zero day exploit, the exploited vulnerability was unknown prior to the attack and even the latest software versions were vulnerable.
Who is responsible for the attacks?
Indirectly, it was the "researcher" who published the exploit. Ethical researchers notify the software developers of vulnerabilities before going public with them to allow the developer time to develop and issue patches. In some instances, the researchers will publish the exploit if the developers ignore the warning and do not address the problem in a timely fashion. In this case, it's not clear whether VBulletin was given prior warning.
The direct attacks were made by hackers. Because the exploit was unknown until publicized, it's likely that there are numerous groups using the exploit for various purposes ranging from acquiring personal data to mischievous sabotage.
How did the hackers gain access to the Organ Forum Servers to run the exploit?
They didn't. The type of exploit employed is known as a "pre-authorization exploit." This means that it was not necessary for the attackers to be on the site or illicitly access the server to perform the exploit.
Is my personal information at risk?
The Organ Forum doesn't collect much in the way of sensitive personal information. It is possible that your Forum email address was compromised. Your Forum password is stored in a heavily encrypted format and is not readily viewable or usuable. Of course, personal information that you make public in your profile or posts is available to everyone visiting the site, not just hackers.
Because there appears to be many different groups with different goals using this exploit, it's not possible to say whether any of our site data was compromised. The fact that attack on this site broke the site likely thwarted some, if not all, of the information harvesting and limited the damage by preventing visitors from accessing the site.
What should I do?
It would be a good idea to change your Forum password just in case it was compromised by the attack.
https://organforum.com/forums/forum/...ge-my-password
If you visited the Forum between 2:00 and 9:00 AM MST (GMT-7) on September 25th, 2019, you should run a thorough virus scan on your computer or mobile device.
You should also practice good internet security measures by employing strong passwords, using different passwords for the sites you frequent, running regular virus scans, and keeping your operating system and browsers up-to-date with the latest security patches.
Is the Organ Forum safe now?
All suspicious files have been removed from the site, and the software patch plugging the vulnerability from VBulletin has been applied. So for now, the site is safe, but as should be obvious, there are zero day vulnerabilities lurking in most software, so there's always a risk. That's why you should practice proper security measures as a second line of defense.
I became aware of a problem with the Forum at 5:30 AM MST this morning when I tried to view forum and was met with a 500 network error. In researching the problem, I found that suspicious files had been added to the Forum from which I was able to identify the time of the exploit. Because I was unable to access the Forum directly, I resorted to brute force methods to take the Forum off-line to reduce the possibility of additional damage to the site and its visitors. I spent the past 8 hours or so cleaning up the mess by removing suspect files and applying a patch that VBulletin made available early this afternoon.
Here's some further information in the form of Questions & Answers.
What is a Zero Day exploit?
A zero day exploit is a method to breach software that was previously unknown. Because of this, no security measures to combat it are in place.
Why was the Organ Forum Targeted?
The Organ Forum was not specifically a target for attack. Any site running the most recent versions of the VBulletin software were vulnerable. Attackers ran automated scripts that probed the Internet for VBulletin based forums and installed the exploit on vulnerable versions.
Why was the Organ Forum running vulnerable software?
The Organ Forum always runs the most up-to-date version of software available. In fact, the Forum's software was updated to the most current version of VBulletin just last week. Because this was a zero day exploit, the exploited vulnerability was unknown prior to the attack and even the latest software versions were vulnerable.
Who is responsible for the attacks?
Indirectly, it was the "researcher" who published the exploit. Ethical researchers notify the software developers of vulnerabilities before going public with them to allow the developer time to develop and issue patches. In some instances, the researchers will publish the exploit if the developers ignore the warning and do not address the problem in a timely fashion. In this case, it's not clear whether VBulletin was given prior warning.
The direct attacks were made by hackers. Because the exploit was unknown until publicized, it's likely that there are numerous groups using the exploit for various purposes ranging from acquiring personal data to mischievous sabotage.
How did the hackers gain access to the Organ Forum Servers to run the exploit?
They didn't. The type of exploit employed is known as a "pre-authorization exploit." This means that it was not necessary for the attackers to be on the site or illicitly access the server to perform the exploit.
Is my personal information at risk?
The Organ Forum doesn't collect much in the way of sensitive personal information. It is possible that your Forum email address was compromised. Your Forum password is stored in a heavily encrypted format and is not readily viewable or usuable. Of course, personal information that you make public in your profile or posts is available to everyone visiting the site, not just hackers.
Because there appears to be many different groups with different goals using this exploit, it's not possible to say whether any of our site data was compromised. The fact that attack on this site broke the site likely thwarted some, if not all, of the information harvesting and limited the damage by preventing visitors from accessing the site.
What should I do?
It would be a good idea to change your Forum password just in case it was compromised by the attack.
https://organforum.com/forums/forum/...ge-my-password
If you visited the Forum between 2:00 and 9:00 AM MST (GMT-7) on September 25th, 2019, you should run a thorough virus scan on your computer or mobile device.
You should also practice good internet security measures by employing strong passwords, using different passwords for the sites you frequent, running regular virus scans, and keeping your operating system and browsers up-to-date with the latest security patches.
Is the Organ Forum safe now?
All suspicious files have been removed from the site, and the software patch plugging the vulnerability from VBulletin has been applied. So for now, the site is safe, but as should be obvious, there are zero day vulnerabilities lurking in most software, so there's always a risk. That's why you should practice proper security measures as a second line of defense.
Comment