Botnet exploits recent vBulletin flaw to protect its bots

Security expert Troy Mursch of Bad Packets reported that a botnet is exploiting the recently disclosed vBulletin exploit to block other attackers from also using it.

The security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. This technique is not new and allows botmaster to preserve their own botnet.

Early this week, an anonymous security researcher publicly disclosed a zero-day remote code execution flaw, tracked as CVE-2019-16759, in the vBulletin forum software and the exploit code to trigger it.

The vulnerability could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on vBulletin versions 5.0.0 till the latest 5.5.4.

The zero-day flaw in the forum software resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.

The threat actor behind the botnet uses the exploit to hack into vulnerable servers, then configures them to require a password to execute commands.

The above images show how the attacker modifies the source code in the includes/vb5/frontend/controller/bbcode.php file in order to request a password for the command execution. The above image also shows the password used by the botmaster to protect the systems he had infected, this means that another attacker could use it to send commands to the system.

According to Mursch, most of the attacks come from Brazil, Vietnam, and India.

Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, confirmed that the vBulletin flaws has been privately circulating for years.

“The availability of a working exploit is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploit to take them over.” reported Ars Technica.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.