Rewterz Threat Alert – Cyrat Ransomware Targets Windows Users
September 4, 2020Rewterz Threat Alert – Thanos Ransomware: Destructive Variant
September 7, 2020Rewterz Threat Alert – Cyrat Ransomware Targets Windows Users
September 4, 2020Rewterz Threat Alert – Thanos Ransomware: Destructive Variant
September 7, 2020Severity
High
Analysis Summary
In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from their own sites. When a patch was released for this vulnerability, attackers were able to bypass the patch, resulting in the vBulletin pre-auth RCE vulnerability CVE-2020-17496. Recently, exploits in the wild leveraging this new vulnerability have been detected. More than 100,000 sites are built on vBulletin, including the forums of major enterprises and organizations, so it’s imperative to patch immediately.
Impact
- Remote Code Execution
- Unauthorized Access
Affected Products
vBulletin
Indicators of Compromise
MD5
- d3a9053c224aec460ab3e7a348c9ec77
- 12d6f94bce213b7adf74f1f4472338de
- a925cb70a05a1127944b1122ffa068fb
- 40c0511ce8329c529a0712248b6ecaeb
- 47851dfea8937c5bbe3ca846440ab544
- 7242441af1f4d7916439f0b3f356ca2a
- db72b7740cdbb0f83da3300e0a5bae43
- 2cb0c59eebfbab2a67c68df8a457d2d2
- cc20021df70f82d7830dd5a6ff531f00
- 5fab9e409f3594e57e5635854b9d27f4
- 74e9391f94026c42d3b150beeccdce8b
- 8ff1d8967def905f89a514851502f976
- 31e182ec94514a8c29cbeed338beec1f
- 5f1453e1db1106b6e292f275b3f71948
- 4197e0c970e6fdddb409034cac29d3b6
- 87cd05a004898a4baa4f741d1cc90f61
- d92a0cc002318bb2f6b80313cadc8090
- ede21e6b026cd3dacb1c555a34f8c5f7
- db88664d33dfbd9afa8333049524b18e
SHA-256
- fd63b9c7e9dce51348d9600f67139ea8959fdbbca84d505b5e9317bbdca74016
- 03bfec4e039805091fe30fa978d5ec7f28431bb0fca4b137e075257b3e1c0dd4
- b4cb04709f613b5363514e75984084ef1d3eaba7c50638b2a5a284680831b992
- 94f02ea10b4546da71bd46916f0fe260b40c8ed4deccf0588687e62ca3819ad7
- bd72be4f7d64795b902f352e47b1654eaee6b5a71cddfaf2c245dba1b2d602eb
- 77b4f7f0d66a0333d756116eaae567a8540392f558c49d507bf6da10bd047fe3
- 051baaabf205c7c0f5fd455ac5775447f9f3df0cc9bc5f66f6d386f368520581
- 8b5810e07cf21ebb1c2ff23c13ce88022c1dd5bc2df32f4d7e5480b4ddb82de2
- ded23c3f5f2950257d8cfb215c40d5f54b28fde23c02f61ce1eb746843f43397
- 80fb66c6b1191954c31734355a236b7342dc3fd074ead47f9c1ed465561c6e8c
- f30bb52c0e32dfe524fc0dfda1724a1ffb88647c39c33a66dfd66109fecceec7
- 1900e09983acf7ddc658b860be7875a527bc914cbffcf0aaff0b4182ecef047b
- c379139347470254f19041f05e19f5454750e052f04f6d377ec8df19ce959519
- 39b6d72101adae2b71815328599f8e67ee27955849dfb3825c5b2731d504696b
- 0747988a77c89c1267a882b663fbd4168e25aed239fb1553e65bb4ac74ecda67
- 99d06d1c82af244b1533c1173ca10da7f29bfbf753073f20f5dc7a0016152a4c
- 372ab5c1c23d198b594353239a96d6cf620cc56588f5fdf5dfb32919dd019020
- 9572a532c08f81d7957ffd4639f95c34a2085f119fa426d8ea911af72bfd0b4a
- 113ad91a1aab3abcd704fe8670fbc043f049586462a4c58dabdd44c14519ea66
- 6f01ef6670ecd79f9b322dd8521bc13a73037e7f84fa9aad35d11d964d8f9e60
- 2960748648bc2cd1b3db5e1e1ce9931a6588d65ae91c6d09e6b8bf2d78b00263
SHA1
- 312c4e99cd52aa025f8c7988c50104546f5ce6da
- cf766d1d6073b91200dfe02beed8e4407937e448
- 95c0768e89cec18206c3ef29996ab3c8029ec2cc
- 01d5ac4c6aea3a6933a29e9150d1effb7f68bb46
- 24db35c34da2d5248b07de68e38caab537fd02d3
- b5d8fdbd2aa7a3a03fcb85448f9fb0eb77e47f9e
- 96fc7a19ec3cbbaeba1d43b2eb3387d0a07d1420
- f4fce45d3ea84ffe6bce11eb11e480248eb5c275
- 4fd96cd781faf3b6f3abd684ad0286674bab2ac0
- cd8cabe976c4ce0334186ef6786c99ba2a0ae0a2
- dbbda767b6b5fff50a3ef808cbcfba71c8978478
- d1f4423d9a2b2ae369d64d2034e0f589fd06e54d
- bf5c05b10a6ba305848db6bdcabeb8193c16b519
- 3ce898a0df169e1a26dc5be02a77d40e683a2298
- 3b614de8370629e0fcfa6652c765fdbb6b5e4754
- 461fc91a6a3e5656f66819ca26b3449e2de589cb
- 0cc83b7336acc41f54e3061e2b21b6553ac30160
- 3516293e423426280c87be61cf1a820335f1c1c5
- ed4ded0ea0e24e9241a6279136e99df62cd25b07
Source IP
- 66[.]7[.]149[.]161
Remediation
- Update to a patched version released in August:
- https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
- Block the threat indicators at their respective controls.