Andrew @andrewchenke Twitter profile

Pinned Tweet

Andrew

29 days

Breaking down the #Apple Internal Tool Leak -- Follow along for realtime analysis updates as the write-up is completed! Questions + relevant intel is welcomed, as always! #databreach #leak #cybersecurity #news #BreakingNews ‌

6

17

78

Last Seen Profiles

@katiebigtoys

@sd_Himu

@MU_Mens_Hockey

@doremifaso64

@Michiwwq

@cincytaylor2

@kingkoman11

@ximeme_2022

@Legend_n00b

@skbrook330020

@SB_Cash614

@CoachNoskowiak

@Chrisler06

@ursinhoroxoart

@AmigoFlover

@pengen_stw

@deangloster

@hehepepe587

@Honeycumdrop

@_ColdestBitch

@CONPAB_IES

@sondy

@DayothNourhan

@MVP_Scaret_98

@pacahello

@rispinob

@anton_delro

@0xNought

@ibubohay2

@SoyMotherOfCats

@CallMeDerny

@AQUATlCQUEEN

@colimanoticias

@BATBrighton

@3pm6Ks3l4xtNUpu

@nagisa114619642

Andrew

@andrewchenke

29 days

@DarkWebInformer I obtained a copy of the data and will be doing a write up on the data shortly

3

0

24

Andrew

@andrewchenke

29 days

TLDR; Preliminary analysis shows hardcoded auth information and admin creds, but all impacted systems are on the Apple corporate network, and possibly are not in use anymore due to the depreciation/age of the systems the leaked Atlassian plugins are designed for. #apple #infosec

Andrew

@andrewchenke

29 days

Breaking down the #Apple Internal Tool Leak -- Follow along for realtime analysis updates as the write-up is completed! Questions + relevant intel is welcomed, as always! #databreach #leak #cybersecurity #news #BreakingNews ‌

6

17

78

0

2

9

Andrew

@andrewchenke

29 days

The data provided by IntelBroker does not contain malicious contents per VirusTotal Initial signs show that Apple-HWE-Confluence-Advanced is the source code for a custom internal Atlassian Confluence/Jira UI, to

1

0

8

Andrew

@andrewchenke

29 days

The Apple-HWE-Confluence-Advanced project does not preliminarily, high-level review, appear to contain any sensitive or otherwise useful information.

1

0

6

Andrew

@andrewchenke

29 days

For the final folder, AppleMacroPlugin, this is yet another Confluence plugin, however this is a custom developed plugin by @CprimeInc , a agile transformation company. The plugin does not appear to contain any sensitive information and looks to be a custom feature for Confluence

0

1

5

Andrew

@andrewchenke

29 days

@H4ckManac My company has obtained the files and completed an analysis of the leaked data:

AHCTS LLC

@ahctsllc

29 days

A recent data leak of @Apple internal source code has been obtained and analyzed by the AHCTS security team - read our full findings below: #cybersecurity #databreach #infosec #Apple #cPrime

0

3

1

3

6

Andrew

@andrewchenke

29 days

@RefinedSoftware Based on the customizations made within the theme, the Confluence in question belongs to the Apple HMTS (Hardware, Manufacturing, and Test Solutions) team. HMTS team Apple branding is contained within the customization of the Confluence theme. (logo from data leak files below)

2

0

6

Andrew

@andrewchenke

29 days

allow the development of custom branded, tailor-made platforms. The leaked data contains reference showing the data is a modified version of the @RefinedSoftware Advanced Theme Demo for Confluence.

1

0

6

Andrew

@andrewchenke

29 days

@Apple JiraSSORedirect the custom frontend plugin for Jira.

1

0

5

Andrew

@andrewchenke

29 days

For these plugins and their backend handlers, the software versions indicate version releases between ~2011-2015, which potentially reduces the impact this data has, due to the age and push from Atlassian to move into its cloud product offerings.

1

5

Andrew

@andrewchenke

29 days

@Apple The AppleConnect SSO codebase is built upon Atlassian Seraph, whose documentation and public documentation has not been updated since 2013, bringing to question when this code was last actually used. Within the AppleConnect SSO files, four folders are present:

1

0

5

Andrew

@andrewchenke

29 days

The AppleConnect SSO files contain a default configuration file containing a default app ID, admin password, validation URL, and similar data, which appears to complete the necessary information for authentication to the Apple Retail Tech team's confluence.

2

0

4

Andrew

@andrewchenke

29 days

All authentication endpoints provided within the codebase appear to be located within Apple's corporate network, and are not publicly accessible. @Apple will need to verify the validity of the credentials. The code contains links to internal documentation on

1

0

4

Andrew

@andrewchenke

29 days

@Apple the usage of "Atlassian AppleConnect Authentication" located within the Apple retail confluence.

1

0

4

Andrew

@andrewchenke

7 months

@dawnvhh You turned him into an alcoholic

0

2

Andrew

@andrewchenke

29 days

@_Gr4yb0x @DarkWebInformer Still in progress however I’ll be realtime tweeting analysis information in a thread as the analysis and write-up is completed.

0

3

Andrew

@andrewchenke

29 days

@DarkWebInformer Realtime info on the breakdown of the leak, as our team completes the analysis and writeup of the data.

Andrew

@andrewchenke

29 days

Breaking down the #Apple Internal Tool Leak -- Follow along for realtime analysis updates as the write-up is completed! Questions + relevant intel is welcomed, as always! #databreach #leak #cybersecurity #news #BreakingNews ‌

6

17

78

1

0

3

Andrew

@andrewchenke

29 days

@Apple The conf-auth contains the backend authentication handler for the Apple confluence and the aforementioned hardcoded credentials. ConfluenceSSORedirect is a custom Confluence Plugin. jira-auth is the backend authentication handler for the AppleConnect Jira integration, and

1

0

3

Andrew

@andrewchenke

2 years

@malwrhunterteam new webshell & automated exploit for the current WordPress discovered after active threat for a client's infrastructure DM for details if you'd like, uses custom code and installs a persistent presence, using a mix of old known shells and custom code

1

3

2

Andrew

@andrewchenke

5 months

@paramountplus first time subscriber tonight for the #SuperBowl2024 you failed. Waiting for my #refund plus #tax #paramountfail #paramountsuperbowl2024 #paramountserviceshutdown

0

2

Andrew

@andrewchenke

29 days

The full analysis can be found on my company website, @ahctsllc #apple #infosec #databreach #cybersecurity #malware

Technical Analysis of Apple Internal Source Code Leak - AHCTS, LLC

Custom plugins developed for Apple's internal Confluence and Jira systems have been leaked, exposing sensitive configurations and data. Developed by cPrime, the source of the breach is unclear,...

ahcts.co

Andrew

@andrewchenke

29 days

Breaking down the #Apple Internal Tool Leak -- Follow along for realtime analysis updates as the write-up is completed! Questions + relevant intel is welcomed, as always! #databreach #leak #cybersecurity #news #BreakingNews ‌

6

17

78

0

1

2

Andrew

@andrewchenke

3 years

Here right now - not surprised but still very disappointed

Big Cat

@BarstoolBigCat

3 years

HOLY MACTION

83

184

5K

0

Andrew

@andrewchenke

3 years

@Chick3nHawk01 Yeah I find it interesting that they are just calling the incident a data center outage when it seems they were hacked

1

0

1

Andrew

@andrewchenke

29 days

@DarkWebInformer The full writeup:

Technical Analysis of Apple Internal Source Code Leak - AHCTS, LLC

Custom plugins developed for Apple's internal Confluence and Jira systems have been leaked, exposing sensitive configurations and data. Developed by cPrime, the source of the breach is unclear,...

ahcts.co

0

1

Andrew

@andrewchenke

2 years

This Should be interesting

Anonymous

@YourAnonOne

2 years

The #Anonymous collective has taken down the website of the #Russian propaganda station RT News.

2K

13K

119K

0

1

Andrew

@andrewchenke

2 years

@HackingDave I loved it

0

1

Andrew

@andrewchenke

27 days

@Thoughtful_stu @DarkWebInformer I'm not AI haha

2

0

1

Andrew

@andrewchenke

3 years

@Chick3nHawk01

vx-underground

@vxunderground

3 years

October 14th, 2021 an angry RaidForum user, @F_adelAwad , leaked @offsectraining exam answers online. Today Offensive Security stated, due to the leak, exams will be postponed. Image: Offensive Security Training announcement

1

35

123

1

0

1

Andrew

@andrewchenke

2 years

@JamesGZero @Chick3nHawk01 @wehackpurple @MBThreatIntel @kaspersky @kim_crawley @lake_m_callum @MakeItHackin @thepacketrat @troyhunt @wallofsheep @FBI @eliistender10 @ach_fooey @Adam_Cyber @hackinarticles @Microsoft @TheRegister @sunderlanduni @verge Howdy

0

1

Andrew

@andrewchenke

2 years

If you are a Verizon Wireless Customer in the United States, you've likely received a text message appearing to be sent from your own number within the last several days, your not alone. #cybersecurity #verizonwireless #phishing #awareness

Verizon Wireless Customers Report Spam Texts Sent From Their Own Number - Andrew Henke | Highly...

If you are a Verizon Wireless Customer in the United States, you've likely received a text message appearing to be sent from your own number within the last several days, your not alone.

andrewhenke.com

0

1

Andrew

@andrewchenke

2 years

@malwrhunterteam

0

1

Andrew

@andrewchenke

2 years

Applied AFTER the block rule has already blocked the request. Please contact me asap with a solution or my paying clients will be finding another WAF and DNS provider. @CloudflareDev @CloudflareHelp #cloudflare #brokenupdate #dns #cybersecurity #attention #badpress

0

1

Andrew

@andrewchenke

2 years

@troyhunt @SwiftOnSecurity @haveibeenpwned @SendGrid Use AWS Simple Email Service, it’s cheaper and you can request the sending quota and send per second to fit your needs.

2

0

1

Andrew

@andrewchenke

2 years

Funny how I make this post and the very next morning I’m allowed into the app 😂 what a coincidence 🤨

Andrew

@andrewchenke

2 years

@CNNPolitics @washingtonpost @Reuters it seems that the “Wait List” shown to many #TruthSocial users is actually a wait list for trump’s vetting team to decide if you meet the criteria for the platform. Notice the correspondence between the unapproved position and wait list