Last month (at the time of writing this post), a Dutch website was hacked. This was not just any website. It was a forum used by, among others, employees of Dutch governmental institutions like law enforcement, foreign affairs and the ministry of defence. Normally such a breach would simply mean that users of the affected site would be notified and encouraged to change their passwords, but as mentioned before, this is not just any website.
The hacked website was Hookers.nl, a vBulletin based forum used by prostitutes and their customers.* Hackers were able to lift the entire database using a 0day exploit that worked on all 5.x versions of the vBulletin commercial forum software. The information they stole included usernames, IP addresses, and password hashes.
We will get into the implications of the stolen data in just a moment but first, it is important to understand how the site was hacked and what this means for your business.
* It’s important to note that prostitution is legal in the Netherlands so the existence and use of this site breaks no laws. However, prostitution still carries a stigma in much of society and allegations of adultery is a very powerful blackmailing tool.
Zero-day exploits and vulnerability scans
Zero-day (or 0day) exploits are vulnerabilities that currently have no fixes and are also typically unknown to the software developer or vendor. On September 23rd, 2019 a vBulletin 0day exploit was posted on the SecList’s “Full Disclosure” mailing list. This RCE (remote code execution) exploit essentially meant that all version 5.x vBulletin instances, worldwide, were open to being hacked.
Using different scanning tools, hackers were able to perform a global automated scan for websites running the exploitable version of vBulletin. Within hours to days, websites all over the world could be scanned to create a list of vulnerable targets. The 0day exploit would then be launched and the forum’s database stolen.
Knowing that hackers tend to go after low-hanging fruit, it is fully likey that the hack on Hookers.nl on the 25th or 26th of September was automated. Meaning that when the exploitable systems were found, the 0day exploited would be exploited automatically. The email addresses, IP addresses, and password hashes are actively being traded underground and the whole data dump goes for about 2 euros.
Why you should scan for vulnerabilities
Having continuous vulnerability scans on your internet-facing assets can significantly reduce the occurrence of ‘in the wild’ 0day exploitation. Continuously monitoring your assets gives you the knowledge to know that something is vulnerable before hackers have the time to exploit those vulnerabilities. This type of scanning is no longer something that only large corporations can afford. If the hackers themselves can run a global scan, then a business can afford to monitor their systems for vulnerabilities.
spriteCloud utilises an eng