Rewterz Threat Alert – Cyrat Ransomware Targets Windows Users

September 4, 2020

Rewterz Threat Alert – Thanos Ransomware: Destructive Variant

September 7, 2020

Rewterz Threat Alert – Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496

September 4, 2020

Severity

High

Analysis Summary

In September 2019, a remote code execution (RCE) vulnerability identified as CVE-2019-16759 was disclosed for vBulletin, a popular forum software. By exploiting this vulnerability, an attacker could have gained privileged access and control over any vBulletin server running versions 5.0.0 up to 5.5.4, and potentially lock organizations out from their own sites. When a patch was released for this vulnerability, attackers were able to bypass the patch, resulting in the vBulletin pre-auth RCE vulnerability CVE-2020-17496. Recently, exploits in the wild leveraging this new vulnerability have been detected. More than 100,000 sites are built on vBulletin, including the forums of major enterprises and organizations, so it’s imperative to patch immediately.

Impact

Remote Code Execution
Unauthorized Access

Affected Products

vBulletin

Indicators of Compromise

MD5

d3a9053c224aec460ab3e7a348c9ec77
12d6f94bce213b7adf74f1f4472338de
a925cb70a05a1127944b1122ffa068fb
40c0511ce8329c529a0712248b6ecaeb
47851dfea8937c5bbe3ca846440ab544
7242441af1f4d7916439f0b3f356ca2a
db72b7740cdbb0f83da3300e0a5bae43
2cb0c59eebfbab2a67c68df8a457d2d2
cc20021df70f82d7830dd5a6ff531f00
5fab9e409f3594e57e5635854b9d27f4
74e9391f94026c42d3b150beeccdce8b
8ff1d8967def905f89a514851502f976
31e182ec94514a8c29cbeed338beec1f
5f1453e1db1106b6e292f275b3f71948
4197e0c970e6fdddb409034cac29d3b6
87cd05a004898a4baa4f741d1cc90f61
d92a0cc002318bb2f6b80313cadc8090
ede21e6b026cd3dacb1c555a34f8c5f7
db88664d33dfbd9afa8333049524b18e

SHA-256

fd63b9c7e9dce51348d9600f67139ea8959fdbbca84d505b5e9317bbdca74016
03bfec4e039805091fe30fa978d5ec7f28431bb0fca4b137e075257b3e1c0dd4
b4cb04709f613b5363514e75984084ef1d3eaba7c50638b2a5a284680831b992
94f02ea10b4546da71bd46916f0fe260b40c8ed4deccf0588687e62ca3819ad7
bd72be4f7d64795b902f352e47b1654eaee6b5a71cddfaf2c245dba1b2d602eb
77b4f7f0d66a0333d756116eaae567a8540392f558c49d507bf6da10bd047fe3
051baaabf205c7c0f5fd455ac5775447f9f3df0cc9bc5f66f6d386f368520581
8b5810e07cf21ebb1c2ff23c13ce88022c1dd5bc2df32f4d7e5480b4ddb82de2
ded23c3f5f2950257d8cfb215c40d5f54b28fde23c02f61ce1eb746843f43397
80fb66c6b1191954c31734355a236b7342dc3fd074ead47f9c1ed465561c6e8c
f30bb52c0e32dfe524fc0dfda1724a1ffb88647c39c33a66dfd66109fecceec7
1900e09983acf7ddc658b860be7875a527bc914cbffcf0aaff0b4182ecef047b
c379139347470254f19041f05e19f5454750e052f04f6d377ec8df19ce959519
39b6d72101adae2b71815328599f8e67ee27955849dfb3825c5b2731d504696b
0747988a77c89c1267a882b663fbd4168e25aed239fb1553e65bb4ac74ecda67
99d06d1c82af244b1533c1173ca10da7f29bfbf753073f20f5dc7a0016152a4c
372ab5c1c23d198b594353239a96d6cf620cc56588f5fdf5dfb32919dd019020
9572a532c08f81d7957ffd4639f95c34a2085f119fa426d8ea911af72bfd0b4a
113ad91a1aab3abcd704fe8670fbc043f049586462a4c58dabdd44c14519ea66
6f01ef6670ecd79f9b322dd8521bc13a73037e7f84fa9aad35d11d964d8f9e60
2960748648bc2cd1b3db5e1e1ce9931a6588d65ae91c6d09e6b8bf2d78b00263

SHA1

312c4e99cd52aa025f8c7988c50104546f5ce6da
cf766d1d6073b91200dfe02beed8e4407937e448
95c0768e89cec18206c3ef29996ab3c8029ec2cc
01d5ac4c6aea3a6933a29e9150d1effb7f68bb46
24db35c34da2d5248b07de68e38caab537fd02d3
b5d8fdbd2aa7a3a03fcb85448f9fb0eb77e47f9e
96fc7a19ec3cbbaeba1d43b2eb3387d0a07d1420
f4fce45d3ea84ffe6bce11eb11e480248eb5c275
4fd96cd781faf3b6f3abd684ad0286674bab2ac0
cd8cabe976c4ce0334186ef6786c99ba2a0ae0a2
dbbda767b6b5fff50a3ef808cbcfba71c8978478
d1f4423d9a2b2ae369d64d2034e0f589fd06e54d
bf5c05b10a6ba305848db6bdcabeb8193c16b519
3ce898a0df169e1a26dc5be02a77d40e683a2298
3b614de8370629e0fcfa6652c765fdbb6b5e4754
461fc91a6a3e5656f66819ca26b3449e2de589cb
0cc83b7336acc41f54e3061e2b21b6553ac30160
3516293e423426280c87be61cf1a820335f1c1c5
ed4ded0ea0e24e9241a6279136e99df62cd25b07

Source IP

66[.]7[.]149[.]161

Remediation

Update to a patched version released in August:
https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
Block the threat indicators at their respective controls.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Revenge RAT aka Revetrat – Active IOCs

Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us