Server hacked CVE-2023-49103 / CWE-284

Antoine · November 28, 2023, 3:30pm

Hello,

Hi there customers-domain, this is the LockBit hacking group,
We would like to notify you that we have obtained access to sensitive data from your OwnCloud resource.
We have included a complete list of files for your reference.
We wanted to talk with you and your leadership first, so we purposefully kept your organization a secret.
We will sell your information on the black market and post it on our site, if you choose to ignore us after 3 days.

Here is the message we have in all our folders.
All files have been erased.

OS is debian 12
Owncloud server is 10.12.0
oAuth2 is 0.6.0

https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
https://owncloud.com/security-advisories/subdomain-validation-bypass/

We use 2FA.
We changed admin password and DB credentials, reboot servers, and files continue to be erased.
This is the admin account which is used by hackers remotes IP.
So we have closed owncloud servers.
If we upgrade to last release of owncloud and to oAuth2 0.6.1, are we secured ?
We will also whitelist all goods IP and block all others.

LinkP · November 28, 2023, 4:46pm

No one here can tell you that taking action X will make your compromised host safe to use.

You should operate on a default assumption that it will never be safe again.

You need to engage with a professional that specializes in incident response.

tom42 · November 28, 2023, 9:52pm

Hey,

i think the attacker could have been used CVE-2023-49105 (and not CVE-2023-49103) because the description sounds more fitting:

An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured.

jnweiger · November 29, 2023, 10:14am

This is getting confusing here… let me clarify:

oaut2h2-0.6.1 addresses NVD - CVE-2023-49104
graphapi-0.3.1 addresses NVD - CVE-2023-49103
and for NVD - CVE-2023-49105 you need to upgrade the server core …

hodyroff · November 29, 2023, 10:17am

Yes. We have shipped updates in September. Recommend to upgrade to 10.13.3 plus the newest apps - with one of the supported update mechanisms: How to Upgrade Your ownCloud Server :: ownCloud Documentation

Antoine · November 29, 2023, 10:41am

Hello, we have made the updates and have set up a whitelist IP. Everything seems to be back to normal. Thanks.

tom42 · November 29, 2023, 4:57pm

Hey,

thank you for the clarification. What i actually wanted to say is that i think that the description of CVE-2023-49105 is fitting the best to what the initially posting has reported:

I think the other CVEs CVE-2023-49103 or CVE-2023-49104 can’t be misused to delete files or am i wrong with this assumption?

system · February 27, 2024, 4:58pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.