An Outdated vBulletin Installation Has ZoneAlarm's Forum Site Breached by Hackers
It's common knowledge that no one is immune from cyberattacks, and if you still need further proof of this, you can have a look at some of the security companies that were successfully breached by cybercriminals. ZoneAlarm, a subsidiary of Check Point, is the latest example.
Earlier this week, several news outlets reported that ZoneAlarm had suffered a data breach. One of the first things that must be pointed out is that the incident isn't especially impactful. The attackers hit ZoneAlarm's forums, and they stole personal information that belongs to a relatively small number of users. According to The Hacker News, the intruders managed to steal the names, email addresses, dates of birth, and hashed passwords of around 4,500 people.
ZoneAlarm took the entire forum down in order to ensure that it's secure, and when it puts it back online, it will enforce a password reset for all users. As usual, affected people who have reused the same credentials at other websites are advised to change them there as well, despite the fact that the stolen passwords are hashed and should, therefore, be difficult (if not practically impossible) to retrieve.
All in all, it's not the end of the world, but there are a few worrying aspects about the incident that can act as a reminder of how even the experts don't always behave the way you'd expect them to, both before and after such an incident.
ZoneAlarm decides to make as little noise as possible
Neither ZoneAlarm nor Check Point, have made any official announcements regarding the cyberattack. Even now, after a spokesperson has admitted that there has been a data breach, the lack of a detailed report communicated through all the usual channels is striking.
Some might say that the breach doesn't deserve that much attention because the number of affected users is limited, and the stolen data isn't especially sensitive. There are several problems with this argument. For one, although the stolen information doesn't include any payment details or data that could lead to identity theft, it can still be used in other attacks that could be much more damaging.
Furthermore, regardless of the amount and nature of the pilfered information, a company that has suffered a data breach should always be as transparent as possible about what has happened. And in this case, the only thing users received is an email notification that doesn't go into too many details about what caused the data breach. Speaking of which, the breach itself was the result of a mistake that security companies shouldn't really make.
Another day, another security company gets attacked after it fails to patch its software
About a month and a half ago, Comodo announced that hackers had successfully managed to attack one of the messaging boards it owns and had gained access to close to a quarter of a million user records. The security company admitted that the crooks managed to get in after exploiting CVE-2019-16759 – a remote code execution vulnerability in the vBulletin forum software. The security flaw was publicly disclosed a few days before the attack, and a patch was released almost immediately. As you might have guessed, Comodo failed to update its forum, and the hackers didn't need a second invitation.
You'd expect that other people in the cybersecurity industry would learn from Comodo's mistake and would try to stay on top of their updates. Unfortunately, ZoneAlarm made no attempts to save themselves the embarrassment of getting hacked because of negligent patch management.
CVE-2019-16759 affects all vBulletin versions between 5.0.0 and 5.5.4, but the people running the project think that nobody should be using older versions of the software anyway, which is why patches were made available only for versions 5.5.2 and newer. ZoneAlarm's forum was running on vBulletin 5.4.4, which meant that it was basically a sitting duck for the hackers.
This particular data breach is far from the worst one we've seen, but it does go to show that even the people who should know better haven't escaped the "it won't happen to me" mentality. Unfortunately, the next time this sort of thing happens, the consequences could be much more serious.