Announcement

Collapse
No announcement yet.

Announcement: Zero-Day InstaKilla Attack ---> vBulletin Forum Software, September 2019

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Announcement: Zero-Day InstaKilla Attack ---> vBulletin Forum Software, September 2019

    Announcement: Zero-Day InstaKilla Attack ---> vBulletin Forum Software, September 2019

    On 24th September a vBulletin exploit was publicly disclosed, TKNZ and thousands of other forums use this software, the now well publicised hack gives the hacker 'full root access' and effectively deletes all website data, replacing it with a ransom demand.

    TKNZ was attacked, in a couple of days brought down, and by yesterday morning all that was left was this page, basically a ransom note:

    Click image for larger version  Name:	zdattack.2.jpg Views:	0 Size:	106.4 KB ID:	52806


    Our tech team at Wellington Websites got on top of the problem working actively to minimise the predation and later on vBulletin publicly released a patch for the exploit. 24 hours later the site is up and running again but data from the last 4 days is lost since the most recent full backup was 22nd September.

    Uploading the entire 10GB+ of forum data and the subsequent total site restoration took many many hours of tireless work and ultimately we had to pay an outside specialist to complete this mornings final database restoration.

    FWIW: It is seriously 'big business', this skullduggery, see below the following 'fee structure', i.e. what an 'acquisition platform for premium zero day exploits' will pay developers of these malicious and destructive 'tools', in order to create chaos and hold people to ransom

    'Zerodium is the 'world-leading acquisition platform for premium zero-days exploits and advanced cybersecurity research. We pay BIG bounties, not bug bounties!' - Zerodium

    Click image for larger version  Name:	zdattack.png Views:	3 Size:	595.3 KB ID:	52821



    TKNZ greatly appreciates members various offers of assistance and is particularly grateful for the large volume of technical work by our Web Master (Michael) from Wellington Websites.
    Last edited by Admin; 27-09-19, 10:26.

  • #2
    That was quick! well done everyone! Michael must be a bit of a legend.
    Some of us thought the site was a goner to begin with, happy days again.
    Last edited by Sarbie; 27-09-19, 09:09.
    I was a one watch guy until I got my first SEIKO

    Comment


    • #3
      Must admit I feared the worst when I saw the ransom page. Great work getting it all back up again

      This is also I think a good time for members to re-evaluate their personal security settings, passwords, email address (used for signing up to forums etc) and general impact of their internet 'footprint'. Getting your identity stolen is no laughing matter, and the hackers are not just kids doing it for sh*ts and giggles, it's big (and scary) business.

      A good place to start:

      https://haveibeenpwned.com/

      https://haveibeenpwned.com/Passwords
      If I think of something witty, I'll be sure to write it here.

      Comment


      • #4
        Was the membership database exposed - I.e. passwords and contact email addresses?

        Comment


        • #5
          Originally posted by kiwi.bloke View Post
          Was the membership database exposed - I.e. passwords and contact email addresses?
          I don't know for sure (but most likely yes as full root control is the exploit). Certainly don't want to sound alarmist but it is just good practice to regularly change passwords and never use the same password twice. My advice for anyone using forums, such as us here at TKNZ, is to set up an email (Gmail or somesuch) which doesn't expose your identity if compromised, and use that one, or variants of, to register your username and access. And always use a secure password. Set up 2-step verification on any email where you get the opportunity to do so.

          An example:
          My sign-in email for here is a Gmail account (eg. madeupname <AT>gmail.com), and the registered details of that Gmail account are not my real name either. The account is used only for signing up to forums and other crap on the internet.
          If I think of something witty, I'll be sure to write it here.

          Comment


          • #6
            That’s excellent advice sjb and lets ask the Web Tech people about this also, but don’t think it’s that sort of attack, if you google ‘zero day vBulletin’ there’s quite a bit of specific info... don’t think the intention was theft but rather threat of destruction (i.e. hostage taking for ransom) - will find out more on this but afaik we’ve not been told to change passes or anything.

            Originally posted by kiwi.bloke View Post
            Was the membership database exposed - I.e. passwords and contact email addresses?
            Harlan
            Timekeeper Watch Club
            New Zealand, Pacific Ocean, Earth

            Comment


            • #7
              Yes - ransom is the first port of call for the hackers. After that they auction off the databases containing usernames/passwords, and the naughty people of the internet use those to try to steal your money. The haveibeenpwned website will let you know if your email or a password you used has been breached.
              If I think of something witty, I'll be sure to write it here.

              Comment


              • #8
                Originally posted by sjb View Post

                I don't know for sure (but most likely yes as full root control is the exploit). Certainly don't want to sound alarmist but it is just good practice to regularly change passwords and never use the same password twice. My advice for anyone using forums, such as us here at TKNZ, is to set up an email (Gmail or somesuch) which doesn't expose your identity if compromised, and use that one, or variants of, to register your username and access. And always use a secure password. Set up 2-step verification on any email where you get the opportunity to do so.

                An example:
                My sign-in email for here is a Gmail account (eg. madeupname <AT>gmail.com), and the registered details of that Gmail account are not my real name either. The account is used only for signing up to forums and other crap on the internet.
                Ideally even with root access the membership data is still scrambled with random data so with out a key it’s useless, but not sure how that stuff is handled by the forum admin.

                Comment


                • #9
                  Indeed, in most cases there shouldn't be too much to be alarmed about, but security is only as good as the weakest link. You've no definite guarantee about your data on the internet or any server, so always best to err on the side of caution.
                  If I think of something witty, I'll be sure to write it here.

                  Comment


                  • #10
                    This is what Wellington Websites have to say so e-mail will be sent out asking members to reset their passes.

                    ‘Regarding the user email addresses, names, and passwords:
                    • Names and email addresses are stored in MySQL in readable text form.
                    • Passwords are encrypted
                    However, since they had full root access they would have the ability to have taken the encryption key as well.

                    There currently is no method to FORCE a password reset on all users.

                    Please send out a general email to all users to please RESET their password.’

                    Harlan
                    Timekeeper Watch Club
                    New Zealand, Pacific Ocean, Earth

                    Comment


                    • #11
                      Originally posted by harlansmart View Post
                      This is what Wellington Websites have to say so e-mail will be sent out asking members to reset their passes.

                      ‘Regarding the user email addresses, names, and passwords:
                      • Names and email addresses are stored in MySQL in readable text form.
                      • Passwords are encrypted
                      However, since they had full root access they would have the ability to have taken the encryption key as well.

                      There currently is no method to FORCE a password reset on all users.

                      Please send out a general email to all users to please RESET their password.’
                      In my view and this would be in line with sjb and others above have made input, what is really at stake is not about an outsider gaining access to your Timekeeper account, but that too many internet users tend to use the same combination of username (or email address) and password across a number of websites they are a registered user on. For instance, the email address you register with TKNZ and its corresponding password may be the same pair that you use for internet banking, utilities and tel co accounts, TradeMe, and other online shopping sites. Generally, these types of websites utilize security encryption levels that are much higher than those used on more casual-type websites, such as general interest/hobby forums.

                      So, in breaking into a site that users are less concerned about security, thinking none of their credit card details etc. are stored there, the intruder can obtain pairs of email address and password, some of which can be used on more sensitive websites that same pair of username/password is used on. One very common tactic of obtaining username/password is not by hacking into any server, but by simply lure users into registering for freebies--free access, free games, etc.--knowing that many people will register using the same combination of username/password as they do on more sensitive websites. In that sense, resetting our passwords on Timekeeper would be ineffective, as the intruder would already have the pairing.

                      The more appropriate action would be that, if the username or email address that you use for TKNZ is the same pair that is used on other websites you are registered on, RESET THE PASSWORDS ON THOSE OTHER SITES.
                      On the instruments we entrust to pace our lives, to bear witness to our days, and to be the keepers of the most precious thing we have... time.

                      Comment


                      • #12
                        To all the good advice given above I would recommend NOT to click on any links in an email asking you to reset your password, unless you are absolutely certain that the link address has not been compromised. Use your normal access method for the web site instead. Once the scammers have your email address it's easy to set up a page looking like the real thing, but made to capture your old and/or new password. I've received a few of these through the years.

                        Also, a secure password manager can make life tolerable so you don't have to remember a plethora of passwords, and can use a different one for each site. Personally I use the free KeePass2, but there are numerous others available.

                        Comment


                        • #13
                          Gents

                          as a side note to this.

                          my email account was "hacked", misused last night!
                          i woke to find i couldn't send emails as my 1200 per day limit had been reached according to my service provider.
                          i received around 100 undeliverable messages to my account this morning so someone must have been using it for marketing some shit or other

                          i have had provider reset everything, i have changed my passwords but not soon enough obviously.
                          it could be a coincidence but worth sharing.

                          cheers
                          “Strong people are harder to kill than weak people and more useful in general.”


                          Despite having the numbers, there is the crazy man in the mountains that none of the tribes will go near!
                          Always aim to be that man.

                          Comment

                          Working...
                          X