Cybercrime: Data leaks at Apple and T-Mobile, rumors about Jira exploit
A known cybercriminal is trying to monetize internal data from Apple and T-Mobile's inventories as well as malicious code for Jira. One company denies this.
(Image: Gorodenkoff/Shutterstock.com)
A well-known cyber crook is currently trying to sell Apple and Telekom internal data on the darknet. The same actor is also offering a zero-day exploit for Atlassian's Jira ticketing system for sale. Is this a strange coincidence, a deliberate false trail or is there a connection between the three sales offers?
Apple: Largely harmless internal information
Apparently, the attacker with the pseudonym "IntelBroker" penetrated the internal systems of a contractor or Apple itself and stole configuration files and source code for Jira and Confluence plugins. However, he or she does not seem to estimate their value particularly highly – the purchase price of the equivalent of just under three euros does not indicate a one-off treasure trove of data. In a technical analysis of the data, the security experts at AHCTS also point out that it is mainly unspectacular data. Some configuration files contain access data in plain text, but negative effects on Apple customers are not to be expected. Apple has not yet commented.
(Image:Â Screenshot / heise security)
The experts also found contact details of a US company in the files, which apparently developed the plugins. AHCTS was unable to determine beyond doubt whether the leak occurred there or at the software and hardware giant from Cupertino.
Videos by heise
T-Mobile USA: We were not hacked
The US branch of the Bonn-based communications group has also suffered a data leak. In addition to many files in Jira's own SIL format (Simple Issue Language) and SQL dumps, the file list also includes scripts for the IaC platform Terraform. It is striking that T-Mobile is also on the customer list of the US service provider, which offers software development as well as consulting on topics such as digitalization and agile processes.
T-Mobile denied an attack on its systems to "Bleeping Computer", but is investigating indications of an attack at a service provider. The attacker's claim that he had compromised T-Mobile's own infrastructure is false. Members of the underground forum also raised doubts and made the connection between the Apple and T-Mobile leak. However, this apparently did not affect the business with the data: it has since been marked as "sold".
Major attack via zero-day in Jira?
Whether this is a major data leak at the service provider in question, as the AHCTS experts speculate, is still completely unclear. However, "IntelBroker" seems to have a third ace up its sleeve: A previously unpatched ("zero-day") exploit of the highest category against Atlassian Jira, which he also wants to monetize. If the cybercriminal is to be believed, it is a "remote code execution" that allows attackers to inject malicious code into the latest version of the desktop app and presumably also the web-based server application. The criminal may have already exploited this vulnerability to copy Apple and T-Mobile data.
The purchase price for the exploit is 800 Monero, i.e. a good 125,000 euros. Atlassian itself only pays security researchers a reward of 6,000 US dollars for reporting such a vulnerability.
Credible or not?
Whether the sales offers have substance or are just hot air is difficult to assess. Nor is it possible to say whether there is actually a connection between the three incidents. When asked by heise security, Atlassian was initially unable to comment; the T-Mobile denial seems plausible.
As is usual on the darknet, the provider's statements cannot be independently verified; however, the forum user "IntelBroker" is currently particularly active. He claims to have stolen data from AMD and recently sold presumably worthless access to the network of the security company Zscaler.
(cku)
