Investigating vBulletin Security Issues with Recorded Future

On January 8, 2015, website security company Sucuri revealed in their blog a serious vulnerability tied to a search engine optimization (SEO) module for vBulletin. vBulletin is a popular forum engine driven by PHP and is used by more than 100,000 social sites on the Web, including NASA, Sony Pictures, and EA.

We used Recorded Future’s analyze function to further investigate security issues tied to vBulletin. According to our open source intelligence (OSINT) findings, there are multiple vulnerable modules used in vBulletin. Older versions of vBulletin are unsurprisingly vulnerable, but we also discovered the latest major version (5) of vBulletin is vulnerable to attacks as well.

This post will demonstrate how Recorded Future’s threat intelligence platform can be used to analyze and understand cyber threats related to a specific product or technology. We’ll also explain how you can be notified in real time about new, emerging threats so you can better coordinate your defenses.

Analyzing vBulletin Security Issues

Creating a query looking at information security related issues of vBulletin over the past three years shows a high volume of mentions on how to gain access to servers running vBulletin. The Timeline view below shows the information available in Recorded Future that contains references to YouTube videos and Pastebin code examples that hackers use to exploit sites running vBulletin.

By switching to the Table view in Recorded Future, a deeper analysis of vulnerabilities related to vBulletin result can be conducted. The Table view gives a more detailed overview of the references analyzed. As shown in the next image, Recorded Future has gathered references from not only English sources, but also from Spanish sources.

In the left column of the Table view, information can be filtered into different categories, such as Domain, Malware and Vulnerability. By filtering the result to show only Vulnerabilities, all references mentioning CVEs tied to vBulletin are presented.

Digging deeper into the available CVE data shows there are multiple modules used in vBulletin that appear as vulnerable. We also discovered not only are older versions of vBulletin affected, even the latest released version (5) is vulnerable to attacks.

With a list of the different CVEs related to vBulletin in hand we can conduct another interesting analysis by switching back to the Timeline view in Recorded Future.

The next image shows vBulletin CVEs over the last two years, where a distinct spike in activity can be seen at the end of 2014.

Using Recorded Future to Monitor New Threats

One of Recorded Future’s core features is to be able to detect new or increased activity in the mentions of products, companies, vulnerabilities, etc. on the open Web. Creating a Recorded Future alert is a fast and convenient way of monitoring the discussion and resolution of current vulnerabilities affecting vBulletin. The next image shows how to set up an email alert to monitor security issues tied to vBulletin.

Sharing Analyses Created in Recorded Future

Once an email alert is received, a report is easily created in Recorded Future by the simple click of an email link, as shown below. The resulting report contains suggested editable fields and a list of the references gathered that triggered the alert.

Once a report has been created it can be shared with other users in the organization or exported as a DOCX file for further editing and distribution to interested parties.