Cybersecurity firm Comodo (slogan: “creating trust online”) says hackers exploited a new vulnerability in its user forum to steal the personal data of 245,000 users.
New Jersey-based (but UK-founded) Comodo is a freemium provider of endpoint protection. It said the attack vector was a new vulnerability or zero day in vBulletin, a widely user server application for website comment forums.
The zero day was dumped on the SecLists security forum on September 23; the exploit developer declining to go down a “responsible disclosure” route.
Another security researcher rapidly followed its publication with a script that scans the internet for vBulletin forums vulnerable to the zero day.
Comodo is unlikely the sole such company affected: hackers are widely reported to be using the vulnerability to help bolster their botnets
Read this: Check Out This Free IT Asset Discovery, Security Tool
When Computer Business Review contacted Comodo’s own end-user patch management/technical support team, Comodo One, we were told: “We aren’t [sic] notified about the breach until now”.
Comodo Hacked: Emails, Names, etc. Leaked
In an alert to users published Monday meanwhile, Shane McGillian product group manager for Comodo wrote: “Our investigations are ongoing to determine what data, if any, has been accessed. User accounts on the forums contain information such as username, name, e-mail address, last IP used to access the forums and if used, potentially some social media usernames in very limited situations.”
Comodo is advising all of its users to immediately change their passwords.
vBulletin has patched the vulnerability. Enterprise security teams can access the patch here. All vBulletin Cloud sites have already been patched.
The vulnerability that gave the attackers access was located in vBulletin, a popular server application for website comment forums.
A vulnerability in vBulletin is manna from heaven for hackers as it’s known to be used by organisations such as NASA, games publish EA and games distribution platform Steam. Following the public disclosure Chaouki Bekrar, the CEO of Zerodium, a zero-day exploits market platform, said the “bugdoor” had been circulating in the exploit community for three years.
The recent vBulletin pre-auth RCE 0day disclosed by a researcher on full-disclosure looks like a bugdoor, a perfect candidate for @PwnieAwards 2020. Easy to spot and exploit.
Many researchers were selling this exploit for years. @Zerodium customers were aware of it since 3 years
— Chaouki Bekrar (@cBekrar) September 25, 2019
Comodo One’s team told us: “As far as our company is concerned none of our servers have been breached. Also we aren’t notified about the breach until now.”
Comodo itself said: “We deeply regret any inconvenience or distress this vulnerability may have caused you, our users.
“As members of our community of Comodo Forum users we want to reassure you that we have put in place measures to ensure that vulnerabilities in third party software, such as vBulletin, will be patched immediately when patches become available.”