CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 76: November 27 2023

Links

https://thehackernews.com/2023/11/warning-3-critical-vulnerabilities.html

https://www.securityweek.com/windows-hello-fingerprint-authentication-bypassed-on-popular-laptops/

https://securityaffairs.com/154743/security/app-used-by-hundreds-of-schools-leaking-childrens-data.html

https://www.theregister.com/2023/11/23/blackcat_ransomware_fnf/

3 Critical ownCloud Vulnerabilities

  • ownCloud
    • open-source file-sharing software
  • graphapi App
    • CVSS score: 10/10
    • versions from 0.2.0 to 0.3.0.
    • uses third-party library that provides a URL.
      • URL is accessed, it reveals the configuration details of the PHP environment (phpinfo) (environment variables of the web server)
    • Containerized Deployment
      • environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.
    • Fix
      • delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php” file.
      • disable the ‘phpinfo’ function.
      • change secrets.
        • ownCloud admin password
        • mail server and database credentials
        • Object-Store/S3 access keys.
      • WebDAV Api
        • CVSS score: 9.8/10
        • Versions: core 10.6.0 – 10.13.0
        • Access, Modify or delete any files.
          • Username of victim is known.
          • No signing key configured.
            • Default config
          • oauth2 app
            • CVSS score: 9/10
            • Versions: oauth2 < 0.6.1
            • improper access control
            • A malicious actor can pass in a specially crafted redirect-url to the system.
              • bypasses the validation code.
              • redirect callbacks to a TLD maliciously controlled.
            • PoC for Other Vulnerability
              • CrushFTP
              • CVE-2023-43177
                • No CVSS yet
              • unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.
              • version 10.5.2
                • Released on August 10, 2023.

Indian App used by Schools leaks Data

  • Cybernews
    • recent investigation
  • AppsCook
    • Application Developer
    • Apps used in 600 Schools.
      • India and Sri Lanka
      • Education management
    • 96 school-specific apps
      • support online classes.
      • enable direct communication between parents and schools.
        • regarding their child’s academic performance and daily activities
      • AppsCook DigitalOcean
        • Misconfigured
        • Open without authentication
        • Leaking Data
          • Students’ names
          • Names of parents
          • Pictures of students attending pre-primary, primary, and secondary schools
          • Names of the schools’ children attend.
          • Birth certificates
          • Fee receipts
          • Student report cards/exam results
          • Home addresses
          • Phone numbers
        • Attacks
          • exploit the vulnerability of children by attempting to extort their parents.
          • revealing their daily whereabouts
            • and what they look like
          • Social Engineering
            • impersonate school officials.
            • manipulate children and parents.

Windows Hello Fingerprint Issues

  • Microsoft’s Offensive Research and Security Engineering
    • And Blackwing Intelligence
    • Bypass fingerprint authentication
  • Tested
    • Dell Inspiron 15 with a Goodix fingerprint sensor
    • Lenovo ThinkPad T14s with the Synaptics sensor
    • Microsoft Surface Pro X, which has an ELAN sensor.
  • Match-on-Chip
    • Fingerprint Sensor
    • chip has a microprocessor and memory.
    • fingerprint data never leaves the sensor.
  • Attack
    • physical access to the targeted device
    • connecting a hacking device to each laptop, via USB
    • connecting the fingerprint sensor to a specially crafted rig.
    • Dell and Lenovo
      • enumerating valid IDs associated with user fingerprints.
      • enrolling the attacker’s fingerprint by spoofing a legitimate user’s ID
    • Surface
      • unplug the Type Cover
        • keyboard
          • includes fingerprint sensor.
        • connect a USB device.
          • spoofs the fingerprint sensor.
          • instructs the system that an authorized user is logging in.

BlackCat claims the Fidelity National Finance Attack

  • Fidelity National Financial (FNF)
    • Fortune 500
    • $11 billion in total revenue in 2022
    • title insurance and settlement services
      • real estate and mortgage industries.
    • 8-K filing with the Securities and Exchange Commission (SEC)
      • shut down several systems, disrupting various areas of the business.
      • Material impact
    • What is known?
      • SEC Filing dated November 19
        • Made public 2 days later.
          • Within the 4-day reporting window
        • ALPHV/BlackCat
          • November 22
          • Posted to their leak blog.
          • Poked fun at incident response company
            • Mandiant
              • Reputation
              • lack of action regarding the attack
            • giving them more time before the leak
              • “Before disclosing whether or whether we have [not] collected any data, we will allow FNF further time to get in touch,” it said. “Wouldn’t want to disclose every card at this early stage.”
            • Impact
              • companies and home buyers
                • unable to close purchases
              • wait for the closing system to come back online.
            • Speculation
              • “CitrixBleed.”
              • Kevin Beaumont
                • Security Researcher
                • Shodan scan of Netscaler boxes
                  • Patched 2 weeks after it came out.
                • CitrixBleed
                  • CVE-2023-4966
                  • unauthenticated attacker sends a specially crafted request to NetScaler ADC or Gateway instance.
                  • obtain valid session tokens.
                  • bypass authentication