Cyber Incident Victim: phpBB
Date:
Jan 2018
Location:
United States of America
Summary
An attacker compromised official download links for a popular forum software, targeting two packages containing malicious code that attempted to load remote JavaScript. The intrusion originated from a third-party site, not the software's infrastructure, and affected downloads were available for approximately three hours before swift removal by the development team. The compromised files were estimated to have been downloaded up to 500 times, with fewer installations likely deployed in production environments. Users were instructed to verify file integrity via SHA256 hashes and report affected installations for assistance in removing the injected code. The attackers' controlled domain was secured by the team, neutralizing the threat. This incident mirrors previous breaches of software distribution platforms used to spread malware like ransomware and remote access trojans.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 26, 2018, an unidentified attacker compromised official download links for the phpBB forum software, specifically targeting the full package of version 3.2.2 and the automatic updater from version 3.2.1 to 3.2.2. These links, which pointed to third-party infrastructure rather than phpBB’s own servers, were altered to distribute maliciously modified files containing additional code. The compromise lasted 181 minutes, from 12:02 PM UTC to 15:03 PM UTC, during which the attacker replaced legitimate downloads with tampered versions. The phpBB team confirmed the intrusion originated through a third-party site, emphasizing that neither phpBB.com nor the phpBB software itself was directly exploited. The malicious files included code designed to load remote JavaScript, though the phpBB team later gained control of the associated domains, neutralizing the threat.
The phpBB infrastructure team detected the issue and removed the compromised links within three hours of their activation. Based on download traffic patterns during the quiet period of the breach, the team estimated fewer than 500 affected downloads, with a smaller subset deployed in production environments. Users who downloaded files during the compromise window were advised to verify SHA256 hashes against official listings and report installations via a dedicated tracker for assistance in removing malicious code. The phpBB Management Team, represented by Michael Cullum, collaborated with the third-party provider to investigate the attack vector while reiterating the safety of subsequently restored downloads. This incident mirrored prior compromises of software distribution channels, including Elmedia Player, HandBrake, and Transmission, where attackers similarly manipulated official platforms to disseminate malware.