Hackers claim vBulletin 0-Day allowed them access to DEF CON forums

A group calling itself Inj3ct0r Team claims to have obtained a backup copy of the DEF CON user forum, using a Zero-Day vulnerability in vBulletin to pull it off. The group used this same vulnerability to attack MacRumors last week, and more recently vBulletin.com.

On Friday, vBulletin alerted customers that they’ve “discovered sophisticated attacks” against their network, which resulted in the attackers gaining access to customer IDs and encrypted passwords on the vBulletin.com forums. As a result, vBulletin reset forum passwords.

As mentioned, it would appear that the vBulletin breach, as well as the MacRumors breach last week, are connected, and the person(s) responsible are selling the Zero-Day vulnerability used to pull them off.

The vulnerability, which impacts all versions of vBulletin 4.x and 5.x, went on sale two-days after MacRumors was breached, and 24-hours before vBulletin confirmed they were attacked. It’s currently available for $7000 USD.

The timing of the attacks and the sale announcement gives some credibility to Inj3ct0r Team’s claim that they were responsible. However, aside from some random screenshots of web shell access, and a database table listing, there isn’t much known about the flaw itself. I’ve attempted to contact them to learn more about the flaw, but I doubt they’ll talk to a member of the press.

In addition to the vBulletin.com and MacRumors attacks, the group also claims to have made a backup of the DEF CON forums, and other sites of interest.

On Sunday, the DEF CON forums were closed due to the public disclosure of the vBulletin flaw, promising to return once the issue has been addressed. However, on Facebook, the Inj3ct0rTeam claimed they were too late.

“Inj3ct0r Team closed http://forum.defcon.org/ powered by [vBulletin]. You are late, we made a backup sites that we care about you too. LOL,” the group wrote.

I’ve reached out to a few DEF CON contacts to confirm these claims. For now, it’s best to take a better safe than sorry approach, and assume the Zero-Day as well as the backup claims are legit. As such, if you have accounts on a domain powered by vBulletin, you should take the proper precautions.

I’ll update this post with additional information as I receive it.

In an email sent long after this post was published. Internet Brands (the parent of vBulletin) denounced Inj3ct0r Team’s claims. vBulletin’s Wayne Luke had the following to say:

“Given our analysis of the evidence provided by the Inject0r team, we do not believe that they have uncovered a 0-day vulnerability in vBulletin. These hackers were able to compromise an insecure system that was used for testing vBulletin mobile applications. The best defense against potential compromises is to keep your system running on the very latest patch release of the software.”

I was in contact with someone answering email from the Inj3ct0r Team email address, but they stopped talking when pressed for details about the vulnerability, and proof that they’ve obtained a backup of the DEF CON forums.