NASTAR operated a vBulletin forum at forums.nastar.com (archive.org version) since the early 2000s. Members could exchange ideas, receive tips, and ask or answer questions about NASTAR and sporting interests on the forum. In 2015, USSA “assume(d) operational control of NASTAR” according to a press release. They continued to operate the website which had 13,912 registered accounts as of early 2020. Based on the lack of recent posts, it appears NASTAR members mostly stopped using the forums.
Maintenance on the site had ceased, leaving vBulletin stuck on version 4.1.4 and the SSL certificate expired. Later, vBulletin released patches for two particularly severe vulnerabilities. An attacker could exploit CVE-2013-6129 (CVSS score 7.5) to create administrator accounts, which some did in 2013. Publicly-available exploits scripts makes it easy for even beginning hackers to take advantage of the vulnerability. With administrator access, there is little standing in the way of the hacker from further compromising the server or stealing website data.
An attacker could also take advantage of a second vulnerability, CVE-2012-4328 (CVSS score 10), allowing them to take control of a server. With this access, an attacker can potentially manipulate content, install malware, and steal user’s credentials.
Evidence of vBulletin Compromise
I reviewed publicly available information in the user directory on the website looking for signs of unauthorized administrator accounts. I found evidence of 363 rogue administrator accounts under two usernames, Vbcaff24 and Vb0a5395.
- Username: Vbcaff24. 203 accounts (earliest created account 11/17/2016; latest created account 6/14/2019)
- Username: Vb0a5395. 160 accounts (earliest created account 1/08/2018; latest created account 6/14/2019)
From this information we can draw some conclusions. Based on the usernames and latest date the accounts were created, I suspect the same threat actor created them. Often, hackers will re-use scripts with little or no modification. This very well may be the case here hence the multiple accounts with the same username. I would not be surprised if these same or similar rogue usernames are used in other websites running old vBulletin forums.
Another noteworthy fact is the timing of the creation of the accounts. Vb0a5395 was created just a month before the XXIII Winter Olympic Games in South Korea began. The timing is likely a coincidence, but it is cause for concern given the games suffered a cyberattack during opening ceremonies, and Russia’s targeting of anti-doping agencies due to Olympic sanctions.
USSA Contact , Investigation, and Response
On February 27, 2020 I attempted to contact forum administrators directly to warn them of the vulnerabilities but did not receive a response. I later reported the vulnerabilities to USSA on April 8, 2020. USSA quickly responded by updating vBulletin to the latest version available at that time.
Later, I contacted USSA about the suspicious administrator accounts. USSA placed the website into maintenance mode and began an investigation. They brought in an outside firm who “determined there was no indication of rogue operations or discovered actions taken by the two accounts.” USSA does not plan to issue a breach notification at this time as they do not believe the hacker stole any user data.
The investigation conclusion is relieving but surprising. Given how long the attackers had administrator access to the website, they had plenty of time to carry out their objectives. The lack of evidence could indicate, among other things, the threat actors were not interested in the data or website, lacked capability to proceed further, or planned to obtain their objective at a later date.
USSA also decided to not restore the website but instead decommission it.
Kudos to USSA for responding to this incident so well. They responded quickly both to update the website, then to take it offline. They recognized the need for a qualified 3rd party to investigate, and acted on the findings. Finally, they recognized and shut down an unneeded website, reducing their attack surface.
I found and disclosed this finding as part of the UtahCyberCheck project, where in my spare time I focus on finding and reporting cybersecurity issues of Utah government, education, and nonprofit organizations. For more information about the project, you can read the announcement blog post.