Daily Archives: May 15, 2020

Papa don’t breach: Contracts, personal info on Madonna, Lady Gaga, Elton John, others swiped in celeb law firm ‘hack’

Posted on by

Hackers are threatening to release 756GB of A-list celebs’ contracts, recording deals, and other personal info allegedly stolen from a New York law firm.

The miscreants have seemingly got their hands on confidential agreements, private correspondence, contact details, and other information belonging to superstars, including Madonna, Christina Aguilera, Sir Elton John, Run DMC, Bruce Springsteen, Barbra Streisand, and Lady Gaga, and their representatives.

The data was swiped by the REvil, aka Sodinokibi, malware-slinging gang best known for taking down Travelex, infosec biz Emsisoft’s Brett Callow told The Register.

A Tor-hidden website belonging to REvil, which lists dozens of organizations compromised by the crew, includes screenshots of folders, a non-disclosure agreement, Madonna’s 2019-2020 tour arrangements, and Aguilera’s music rights as proof of its cyber-heist.

The gang claims to have hacked entertainment law firm Grubman Shire Meiselas & Sacks, based in the Big Apple, and siphoned its documents.

The law firm could not be reached for comment. We assume they were otherwise occupied. Their website right now just shows its logo whereas as recently as May 8, it listed its clients and staff.

“The documents purportedly include information about multiple music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel, HBO’s ‘Last Week Tonight With John Oliver,’ and Run DMC. Facebook also is on the hackers’ hit list,” reported showbiz industry mag Variety, which was also tipped off by Emsisoft.

The law firm also represents big name personalities in TV, film, and sport, and media and online giants, from Kate Upton and Robert De Niro to Sony, Spotify, Vice, and EMI. It is assumed the swiped data was partially leaked to encourage the lawyers to cough up a ransom demand – or the rest of the information would spill onto the dark web. ®

Updated to add

Grubman Shire Meiselas & Sacks have said they were hacked, and in a statement said: “We can confirm that we’ve been victimised by a cyber-attack. We have notified our clients and our staff. We have hired the world’s experts who specialise in this area, and we are working around the clock to address these matters.”

Source: Papa don’t breach: Contracts, personal info on Madonna, Lady Gaga, Elton John, others swiped in celeb law firm ‘hack’ • The Register

Russia admits, yup, the Americans are right: One of our rocket’s tanks just disintegrated in Earth’s orbit

Posted on by

Russian rocket tanks used to launch a radio telescope have broken up into 65 chunks, littering Earth’s orbit with debris.

The tanks, dumped from the Fregat-SB upper stage of the Zenit-3SLBF rocket that took the Spektr-R radio telescope into orbit in 2011, disintegrated on Friday, Roscosmos said on Sunday. “According to reports, the destruction occurred on May 8, 2020 in the time interval 08:00 – 09:00 Moscow time over the Indian Ocean,” a statement reads.

It’s not clear what caused the break-up. The 18th Space Control Squadron (18 SPCS) of the US Air Force went public with details of the disintegration on Saturday, and noted there was no evidence it was caused by a collision

[…]

Roscosmos said it is counting up the exact number of fragments from the, well, rapid self-disassembly of the tank block. There are said to be at least 65 pieces whizzing round at thousands of miles per hour in an orbit with an apogee height of 3,606 kilometres, perigee height of 422 kilometres, and orbital inclination of 51.45 degrees.

As for the Spektr-R: it was declared defunct in early 2019 after going silent. At the time, it was Russia’s only space telescope publicly known to be operational.

Source: Russia admits, yup, the Americans are right: One of our rocket’s tanks just disintegrated in Earth’s orbit

Amazon builds UV-light robot to kill coronavirus on surfaces

Posted on by

Amazon built robot that is designed to kill the novel coronavirus with ultraviolet light.

The robot looks a little like a hotel luggage cart, with a tall metal frame attached to a rectangular wheeled bottom. One side of the frame is outfitted with at least 10 ultraviolet tube lights.

In a video shared with CBS News’ “60 Minutes,” the robot rolls down the freezer aisle of a Whole Foods store, aiming UV light at the freezer doors.

The robot could be used in warehouses and at Whole Foods stores to kill the virus on surfaces such as food, packaging, and door handles.

Source: Amazon builds UV-light robot to kill coronavirus on surfaces – Business Insider

Brit defense contractor Interserve hacked, up to 100,000 past and present employees’ details siphoned off

Posted on by

Britain’s Ministry of Defence contractor Interserve has been hacked, reportedly leaking the details of up to 100,000 of past and current employees, including payment information and details of their next of kin.

The Daily Telegraph reports that up to 100,000 employee details were stolen, dating back across a number of years. Interserve currently employs around 53,000 people.

A source told the paper that names, addresses, bank details, payroll information, next of kin details, personnel and disciplinary records had been swiped.

The intrusion took place “earlier this month,” the tight-lipped firm said in a statement.

[…]

Interserve holds a number of public sector contracts comprising, among others, some of the Ministry of Defence’s more important bases. The company website says it has a presence on 35 MoD sites, including: the Falkland Islands; the vital mid-Atlantic RAF staging post on Ascension Island; Gibraltar; and Cyprus. The contract for the overseas bases is reportedly worth around £500m.

Closer to home, Interserve also maintains the vital and secretive MoD bunkers at Corsham, coyly referred to as “the cutting edge global communications hub for the Ministry of Defence”. Corsham is in fact the home of the MoD’s Global Operations Security Control Centre, as well as the Joint Security Co-ordination Centre, plus a Cyber Security Operations Centre.

Informed sources whispered to El Reg that quite a few people at Corsham would be unhappy with news that a contractor with full access to the sensitive site has been hacked.

Source: Brit defense contractor hacked, up to 100,000 past and present employees’ details siphoned off – report • The Register

Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases

Posted on by

Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases.

Firebase is a popular backend service with SDKs for multiple platforms, including Android, iOS, web, C++ and Unity (for games). Features include two NoSQL database managers, Cloud Firestore and the older Realtime Database. Data is secured using rules which “work by matching a pattern against database paths, and then applying custom conditions to allow access to data at those paths”, according to the docs. This is combined with authentication to lock up confidential data while also allowing access to shared data.

“A common Firebase misconfiguration allows attackers to easily find and steal data from storage. By simply appending ‘.json’ to the end of a Firebase URL, the attacker can view and download the contents of vulnerable databases,” the report explained.

How common a problem is it? The Comparitech security team reviewed just over half a million apps, comprising, they say, about 18 per cent of apps in the Play store. “In that sample, we found more than 4,282 apps leaking sensitive information,” the report claimed.

Source: Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases • The Register

PrintDemon vulnerability impacts all Windows versions | ZDNet

Posted on by

Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996.

The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations.

The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network or the internet; or to a local file, in the rare event the user wants to save a print job for later.

Trivially exploitable local privilege elevation

In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism.

[…]

PrintDemon is what researchers call a “local privilege escalation” (LPE) vulnerability. This means that once an attacker has even the tiniest foothold inside an app or a Windows machine, even with user-mode privileges, the attacker can run something as simple as one unprivileged PowerShell command to gain administrator-level privileges over the entire OS.

This is possible because of how the Print Spooler service was designed to work, Ionescu and Shafir said.

Because this is a service meant to be available to any app that wants to print a file, it is available to all apps running on a system, without restrictions. The attacker can create a print job that prints to a file — for example a local DLL file used by the OS or another app.

The attacker can initiate the print operation, crash the Print Spooler service intentionally, and then let the job resume, but this time the printing operation runs with SYSTEM privileges, allowing it to overwrite any files anywhere on the OS.

In a tweet today, Ionescu said exploitation on current OS versions requires one single line of PowerShell. On older Windows versions, this might need some tweaking.

“On an unpatched system, this will install a persistent backdoor, that won’t go away *even after you patch*,” Ionescu said.

Patches available

The good news is that this has now been patched, hence Ionescu and Shafir’s public disclosure. Fixes for PrintDemon have been released yesterday, with the Microsoft May 2020 Patch Tuesday.

PrintDemon is tracked under the CVE-2020-1048 identifier. Two security researchers from SafeBreach Labs, Peleg Hadar and Tomer Bar, were the first to discover the issue and report it to Microsoft. The two will be presenting their own report on the issue at the Black Hat security conference in August.

Ionescu has also published proof-of-concept code on GitHub with the purpose of aiding security researchers and system administrators investigate the vulnerability and prepare mitigations and detection capabilities.

Last month, Ionescu and Shafir have also published details and proof-of-concept code for a similar vulnerability that they named FaxHell.

FaxHell works similarly to PrintDemon, but the researchers exploited the Windows Fax service to overwrite and hijack local (DLL) files to install shells and backdoors on Windows systems.

Source: PrintDemon vulnerability impacts all Windows versions | ZDNet