This article might look like an ad but trust me, it’s not. I suggest you stick around until the end of the article, there will be a small-ish surprise.

In case you’re not familiar with Cellebrite, they are an Israeli digital intelligence company that provides tools for federal, state, and local law enforcement as well as enterprise companies and service providers to collect, review, analyze and manage digital data.

Cellebrite UFED 4PC is a universal hardware and software package for forensic research that makes it possible to extract, decode and analyze digital data obtained from mobile devices on an existing PC or laptop. The complex is delivered with a set of UFED applications, peripherals and accessories necessary for successful research. UFED 4PC can work both independently and with third-party software.

Earlier today we got a hint that a new Spring Core RCE might be available:

Well, now it’s confirmed. Additional info (PDF file, in Chinese by original author).

Vulnerability impact

• JDK version 9 and above.
• uses Spring Framework or derivative framework.

Bug fixes

At present, the Spring maintainers have not released a patch and it is recommended to use a lower JDK version as a temporary solution.

PoC (download)

Lapsus$ is back and on fire, today we got a new leak today with Globant.com admin credentials and a 70GB torrent from Globant customers. Keep in mind that no torrent files are hosted on the sizeof.cat website.

Globant is an IT and Software Development company operating in Argentina, Colombia, Uruguay, the United Kingdom, Brazil, the United States, Canada, Peru, India, Mexico, Chile, Costa Rica, Ecuador, Spain, France, Germany, Romania and Belarus. It was formed in 2003 by Martín Migoya, Guibert Englebienne, Martín Umaran and Néstor Nocetti. It was founded in Buenos Aires, but currently is headquartered in Luxembourg and principally serves clients in the United States and United Kingdom.

Original messages from Lapsus$ Group are below.

If you’ve heard the name but are wondering what it means, OSINT stands for open source intelligence, which refers to any information that can legally be gathered from free, public sources about an individual or organization. In practice, that tends to mean information found on the Internet, but technically any public information falls into the category of OSINT whether it’s books or reports in a public library, articles in a newspaper or statements in a press release.

Maps, geo-location, transport

Social media and photos

• Apps.skylens.io — posts with geo-tags from five social networks at once on one map (Twitter, YouTube, Instagram, Flickr, Vkontakte).
• photo-map.ru — search geo-tagged photos from Vkontakte.
• Snapchat map
• YouTube Geofind — view YouTube geo-tagged video on map.
• Flickr Photo Map
• Flickr Common Map — displays only Flickr photos distributed under a Creative Commons license (250 of the latest for each location).
• I know where your cat lives — geo-tagged photo from Instagram with the cat hashtag.
• Trendsmap.com — explore most popular Twitter trends, hashtags and users on the world-map.
• Pastvu.com — view historical photos taken at a particular location on a map.