Botnet exploits recent vBulletin flaw to protect its bots

Security expert Troy Mursch of Bad Packets reported that a botnet is exploiting the recently disclosed vBulletin exploit to block other attackers from also using it.

The security expert Troy Mursch observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. This technique is not new and allows botmaster to preserve their own botnet.

The initial wave of botnet activity targeting vBulletin sites vulnerable to CVE-2019-16759 started around 14:00 UTC yesterday and lasted for about 5 hours.The exploit activity modified code in “bbcode.php” to enable exclusive RCE access to the botnet operator.#threatintel— Bad Packets Report (@bad_packets) September 26, 2019Early this week, an anonymous security researcher publicly disclosed a zero-day remote code execution flaw, tracked as CVE-2019-16759, in the vBulletin forum software and the exploit code to trigger it.

The vulnerability could be exploited remotely by an unauthenticated attacker. The PoC exploit published by the hacker works on vBulletin versions 5.0.0 till the latest 5.5.4.

The zero-day flaw in the forum software resides in the way an internal widget file of the forum software package accepts configurations via the URL parameters. The expert discovered that the package fails to validate the parameters, an attacker could exploit it to inject commands and remotely execute code on the vulnerable install.

The threat actor behind the botnet uses the exploit to hack into vulnerable servers, then configures them to require a password to execute commands.

The above images show how the attacker modifies the source code in the includes/vb5/frontend/controller/bbcode.php file in order to request a password for the command execution. The above image also shows the password used by the botmaster to protect the systems he had infected, this means that another attacker could use it to send commands to the system.

According to Mursch, most of the attacks come from Brazil, Vietnam, and India.

Chaouki Bekrar, founder and CEO of the Zerodium exploit broker, confirmed that the vBulletin flaws has been privately circulating for years.

The recent vBulletin pre-auth RCE 0day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit.Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years— Chaouki Bekrar (@cBekrar) September 25, 2019“The availability of a working exploit is aggravated by another publicly posted script that uses the Shodan search site to find vulnerable servers. Attackers can use it to generate a list of vBulletin sites that are susceptible and then use the exploit to take them over.” reported Ars Technica.

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – vBulletin, hacking)

The post Botnet exploits recent vBulletin flaw to protect its bots appeared first on Security Affairs.