Headline
Was T-Mobile compromised by a zero-day in Jira?
IntelBroker is offering source code from major companies for sale. Are they demonstrating the value of a zero-day they are also selling?
A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.
The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)
Post offereing data for sale supposedly from a T-Mobile internal breach
To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.
But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.
When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.
Found CVE-2024-1597
This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.
The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.
For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.
If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.
This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.
IntelBroker selling zero-day for JIra
“I’m selling a zero-day RCE for Atlassian’s Jira.
Works for the latest version of the desktop app, as well as Jira with confluence.
No login is required for this, and works with Okta SSO.”
If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.
Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.
“We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Related news
Red Hat Security Advisory 2024-5056-03 - Red Hat Integration Camel K 1.10.7 release and security update is now available.
Red Hat Security Advisory 2024-4402-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.
Red Hat Security Advisory 2024-4057-03 - Release of OpenShift Serverless Logic 1.33.0. Issues addressed include cross site scripting and denial of service vulnerabilities.
Red Hat Security Advisory 2024-2624-03 - Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.2 Telecommunications Update Service.
Red Hat Security Advisory 2024-1999-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Security Advisory 2024-1686-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include an information leakage vulnerability.
Red Hat Security Advisory 2024-1662-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include denial of service, information leakage, and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1649-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.
Red Hat Security Advisory 2024-1436-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 9.
Red Hat Security Advisory 2024-1435-03 - An update for postgresql-jdbc is now available for Red Hat Enterprise Linux 8.
# Impact SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted. # Exploitation To exploit this behavior the following conditions must be met: 1. A placeholder for a numeric value must be immediately preceded by a minus (i.e. `-`) 1. There must be a second placeholder for a string value after the first placeholder on the same line. 1. Both parameters must be user controlled. The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a `--` SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parame...
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.