In a statement published on their forums a couple of days ago, vBulletin’s Wayne Luke revealed that their security team discovered a sophisticated cyberattack on their systems.
“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems,” Luke noted.
The attack appears to be related to the one on MacRumors. Members of Inj3ct0r Team have told Softpedia that they’re responsible for both the attack on MacRumors and the one on vBulletin.
The hackers claim to have leveraged a “critical vulnerability” in vBulletin versions 4.x.x and 5.х.x. They say they’ve exploited the same zero-day vulnerability to breach MacRumors.com.
“We've got upload shell in vBulletin server, download database and got root,” the hackers said via email. “Macrumors.com was based on vBulletin CMS. We use 0day exploit on vBulletin, got password moderator. 860000 hacked too. The network security is a myth.”
They’ve even published a few screenshots to prove their point. Inj3ct0r Team have put the vBulletin v4.x.x and 5.х.x shell upload / remote code execution exploit up for sale on 1337day.com.
After learning about the existence of the zero-day, DEF CON has decided to shut down its forum until the issue is addressed.
“We have disabled the forums until there is resolution on a possible vulnerability. Once we have a fix/patch installed, we'll re-open service. Thanks! Sorry about the down-time,” DEF CON representatives noted.
A hacker using the online moniker “lol” took credit for the attack on MacRumors.com a few days ago. He also claimed that a moderator’s password had been involved in the attack. We haven’t been able to find out if there’s a connection between “lol” and Inj3ct0r Team.
So far, vBulletin representatives haven’t issued any statement regarding the vulnerability. Meanwhile, more vBulletin users have announced their intentions to disable their forums until this is sorted out.