Microsoft: State hackers exploiting Confluence zero-day since September
Microsoft says a Chinese-backed threat group tracked as 'Storm-0062' (aka DarkShadow or Oro0lxy) has been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023.
Atlassian had already notified customers about the active exploitation status of CVE-2023-22515 when it disclosed it on October 4, 2023. Still, the company withheld specific details on the threat groups leveraging the vulnerability in the wild.
Today, Microsoft Threat Intelligence analysts shared more information about Storm-0062's involvement in CVE-2023-22515's exploitation and posted four offending IP addresses on a thread on Twitter.
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023
Considering that Atlassian made security updates available in early October, Storm-0062 exploited the flaw as a zero-day bug for nearly three weeks, creating arbitrary administrator accounts on exposed endpoints.
Storm-0062 is a state hacking group linked to China's Ministry of State Security and known for targeting software, engineering, medical research, government, defense, and tech firms in the U.S., U.K., Australia, and various European countries to collect intelligence.
The United States charged the Chinese hackers in July 2020 for stealing terabytes of data by hacking government organizations and companies worldwide.
PoC exploit released online
According to data collected by cybersecurity company Greynoise, the exploitation of CVE-2023-22515 appears very limited.
However, a proof-of-concept (PoC) exploit and full technical details about the vulnerability released by Rapid7 researchers yesterday might change the exploitation landscape soon.
Rapid7 analysts showed how attackers could bypass existing security checks on the product and which cURL command can be used to send a crafted HTTP request on vulnerable endpoints that creates new administrator users with a password known to the attacker.
Their detailed write-up also includes an additional request that ensures other users won't receive a notification about the completion of the setup, making the compromise stealthy.
A week has passed since Atlassian rolled out security updates for the affected products, so users have had ample time to respond to the situation before the PoC exploit's public release.
If you haven't done so yet, it is recommended to upgrade to one of the following fixed Atlassian Confluence releases:
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (Long-Term Support release) or later
Note that CVE-2023-22515 flaw doesn't impact Confluence Data Center and Server versions before 8.0.0, so users of older releases don't need to take any action.
The same applies to Atlassian-hosted instances at atlassian.net domains, which are not vulnerable to these attacks.
For more details on the indicators of compromise, upgrade instructions, and a complete list of affected product versions, check Atlassian's security bulletin.
Comments