Advisory Overview:
Cybersecurity firm Comodo – who provides website security certificates and other services – recently suffered a breach of their web forum site which included usernames, IP addresses, and other data of forum users. Since many users re-use credentials for multiple sites, it is possible that a user’s login information for the forum could be identical to their login information for the Comodo services, leading to the potential for significant security information leakage. It should be noted that, while passwords were not specifically stated to have been in the data obtained in the breach, Comodo does recommend that all users of their services immediately change their passwords out of an abundance of caution. Speak to your IT team and/or your Managed Services Provider to determine if your organization uses any Comodo services.
Technical detail and additional information:
What is the threat?
The breach stems from a known vulnerability (since patched) in the vBulletin web forum platform. This is a popular software package used by many companies to create and manage online internal and external user forums. Comodo’s web forums were using the unpatched version of the software, and therefore became susceptible to attack via this vulnerability. Data exfiltrated included usernames, real names, IP addresses used to access the forum in question, email addresses, and what has been described by investigating firms as appearing to be social media identity information.
Why is this noteworthy?
The breach was reported by a 3rd-party concern, and the details were not provided to Comodo for review before the matter was made public. Due to this series of events, Comodo has not fully investigated the exfiltrated data, and therefore cannot be certain as to the extent of the information stolen. It is possible that additional information – such as encrypted passwords – may be within the dataset. Such 3rd-party disclosure is not uncommon, but release to the general public before private release to the company in question is unusual; and can lead to confusion and misinformation. The data released seems to be valid, but more information may be discovered as Comodo investigates.
What is the exposure or risk?
Comodo provides endpoint anti-malware tools and is also a popular vendor of SSL/TLS website certificates. The information exfiltrated in the breach has not been fully analyzed by Comodo themselves. The breach was reported by a 3rd-party investigator, and therefore it is currently not known if the report detailed the full extent of the data exfiltration. It is possible that additional information on forum users – such as passwords – may have been taken in their encrypted form. As such, Comodo users should treat this breach as though passwords and other sensitive information were stolen until 1st-party verification occurs. Since Comodo holds critical information about an organization’s web and endpoint defenses, use of this information could have significant impact on the organization as attackers can perform extensive intelligence gathering without having to surveil the secured network itself.
What are the recommendations?
Comodo recommends that all users of their forums immediately change their passwords. It is also recommended that users change their passwords not only on the forums, but on the main Comodo websites. Users should be educated on proper password hygiene and should be persuaded not to re-uses passwords on multiple sites – even multiple sites from the same vendor.
Additionally, if any customers are using the vBulletin software for their own internal or external web forums, patches for the vBulletin vulnerability have become available to download as of September 25, 2019. It is strongly advised for anyone utilizing the vBulletin service to apply the newly available patch from the vendor immediately, as attacks against this vulnerability are currently taking place.
This patch can be found via a vBulletin forum post: https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4422707-vbulletin-security-patch-released-versions-5-5-2-5-5-3-and-5-5-4
References:
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.