• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Cyrat Ransomware Targets Windows Users
September 4, 2020
Rewterz Threat Alert – Thanos Ransomware: Destructive Variant
September 7, 2020

Rewterz Threat Alert – Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496

September 4, 2020

Severity

High

Analysis Summary

In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from their own sites. When a patch was released for this vulnerability, attackers were able to bypass the patch, resulting in the vBulletin pre-auth RCE vulnerability CVE-2020-17496. Recently, exploits in the wild leveraging this new vulnerability have been detected. More than 100,000 sites are built on vBulletin, including the forums of major enterprises and organizations, so it’s imperative to patch immediately.

Impact

  • Remote Code Execution
  • Unauthorized Access

Affected Products

vBulletin

Indicators of Compromise

MD5

  • d3a9053c224aec460ab3e7a348c9ec77
  • 12d6f94bce213b7adf74f1f4472338de
  • a925cb70a05a1127944b1122ffa068fb
  • 40c0511ce8329c529a0712248b6ecaeb
  • 47851dfea8937c5bbe3ca846440ab544
  • 7242441af1f4d7916439f0b3f356ca2a
  • db72b7740cdbb0f83da3300e0a5bae43
  • 2cb0c59eebfbab2a67c68df8a457d2d2
  • cc20021df70f82d7830dd5a6ff531f00
  • 5fab9e409f3594e57e5635854b9d27f4
  • 74e9391f94026c42d3b150beeccdce8b
  • 8ff1d8967def905f89a514851502f976
  • 31e182ec94514a8c29cbeed338beec1f
  • 5f1453e1db1106b6e292f275b3f71948
  • 4197e0c970e6fdddb409034cac29d3b6
  • 87cd05a004898a4baa4f741d1cc90f61
  • d92a0cc002318bb2f6b80313cadc8090
  • ede21e6b026cd3dacb1c555a34f8c5f7
  • db88664d33dfbd9afa8333049524b18e

SHA-256

  • fd63b9c7e9dce51348d9600f67139ea8959fdbbca84d505b5e9317bbdca74016
  • 03bfec4e039805091fe30fa978d5ec7f28431bb0fca4b137e075257b3e1c0dd4
  • b4cb04709f613b5363514e75984084ef1d3eaba7c50638b2a5a284680831b992
  • 94f02ea10b4546da71bd46916f0fe260b40c8ed4deccf0588687e62ca3819ad7
  • bd72be4f7d64795b902f352e47b1654eaee6b5a71cddfaf2c245dba1b2d602eb
  • 77b4f7f0d66a0333d756116eaae567a8540392f558c49d507bf6da10bd047fe3
  • 051baaabf205c7c0f5fd455ac5775447f9f3df0cc9bc5f66f6d386f368520581
  • 8b5810e07cf21ebb1c2ff23c13ce88022c1dd5bc2df32f4d7e5480b4ddb82de2
  • ded23c3f5f2950257d8cfb215c40d5f54b28fde23c02f61ce1eb746843f43397
  • 80fb66c6b1191954c31734355a236b7342dc3fd074ead47f9c1ed465561c6e8c
  • f30bb52c0e32dfe524fc0dfda1724a1ffb88647c39c33a66dfd66109fecceec7
  • 1900e09983acf7ddc658b860be7875a527bc914cbffcf0aaff0b4182ecef047b
  • c379139347470254f19041f05e19f5454750e052f04f6d377ec8df19ce959519
  • 39b6d72101adae2b71815328599f8e67ee27955849dfb3825c5b2731d504696b
  • 0747988a77c89c1267a882b663fbd4168e25aed239fb1553e65bb4ac74ecda67
  • 99d06d1c82af244b1533c1173ca10da7f29bfbf753073f20f5dc7a0016152a4c
  • 372ab5c1c23d198b594353239a96d6cf620cc56588f5fdf5dfb32919dd019020
  • 9572a532c08f81d7957ffd4639f95c34a2085f119fa426d8ea911af72bfd0b4a
  • 113ad91a1aab3abcd704fe8670fbc043f049586462a4c58dabdd44c14519ea66
  • 6f01ef6670ecd79f9b322dd8521bc13a73037e7f84fa9aad35d11d964d8f9e60
  • 2960748648bc2cd1b3db5e1e1ce9931a6588d65ae91c6d09e6b8bf2d78b00263

SHA1

  • 312c4e99cd52aa025f8c7988c50104546f5ce6da
  • cf766d1d6073b91200dfe02beed8e4407937e448
  • 95c0768e89cec18206c3ef29996ab3c8029ec2cc
  • 01d5ac4c6aea3a6933a29e9150d1effb7f68bb46
  • 24db35c34da2d5248b07de68e38caab537fd02d3
  • b5d8fdbd2aa7a3a03fcb85448f9fb0eb77e47f9e
  • 96fc7a19ec3cbbaeba1d43b2eb3387d0a07d1420
  • f4fce45d3ea84ffe6bce11eb11e480248eb5c275
  • 4fd96cd781faf3b6f3abd684ad0286674bab2ac0
  • cd8cabe976c4ce0334186ef6786c99ba2a0ae0a2
  • dbbda767b6b5fff50a3ef808cbcfba71c8978478
  • d1f4423d9a2b2ae369d64d2034e0f589fd06e54d
  • bf5c05b10a6ba305848db6bdcabeb8193c16b519
  • 3ce898a0df169e1a26dc5be02a77d40e683a2298
  • 3b614de8370629e0fcfa6652c765fdbb6b5e4754
  • 461fc91a6a3e5656f66819ca26b3449e2de589cb
  • 0cc83b7336acc41f54e3061e2b21b6553ac30160
  • 3516293e423426280c87be61cf1a820335f1c1c5
  • ed4ded0ea0e24e9241a6279136e99df62cd25b07


Source IP

  • 66[.]7[.]149[.]161

Remediation

  • Update to a patched version released in August:
  • https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
  • Block the threat indicators at their respective controls.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.