Chinese state-backed hackers [1] [2] [6], known as Storm-0062 or DarkShadow, have been identified by Microsoft as the entity behind zero-day exploits targeting Atlassian’s Confluence Data Center and Server products [4].
Description
This malicious activity began on September 14 [4], three weeks before Atlassian publicly disclosed the issue [4] [6]. Storm-0062 [1] [3] [4] [5] [6], which has been conducting cyberespionage operations for China’s Ministry of State Security [4], has been observed exploiting the CVE-2023-22515 vulnerability since September 14 [4]. Microsoft has shared four IP addresses linked to the exploit traffic [4]. The vulnerability allows for privilege escalation [4], enabling the creation of unauthorized Confluence administrator accounts [4] [5].
Microsoft advises organizations to upgrade to a fixed version and isolate vulnerable Confluence applications from the public internet [4]. Atlassian has confirmed the active exploitation of the bug and released an urgent patch [4]. The vulnerability affects on-prem instances of Confluence Server and Confluence Data Center [4], with instances on the public internet being particularly at risk [4]. Upgrading will not remove the compromise if an instance has already been compromised [4]. Business users are advised to check affected instances for indicators of compromise and disconnect compromised servers from the network/internet [4].
Atlassian’s software products have been targeted in the past by both cybercriminal and state-sponsored threat actors [4]. The CISA’s KEV catalog lists six distinct Confluence vulnerabilities that require urgent attention [4]. This critical zero-day vulnerability in Atlassian software allows unauthorized access to Confluence servers [2], potentially compromising sensitive information [2]. Atlassian has released a patch and is urging all users to upgrade their systems to protect against this exploit [2]. Microsoft has identified the vulnerability, CVE-2023-22515 [1] [3] [4] [5] [6], which allows remote attackers to create unauthorized Confluence administrator accounts and access Confluence servers [5] [6]. The flaw has been addressed in the latest versions of the software [5]. Storm-0062 is associated with Li Xiaoyu [5], a Chinese hacker accused of infiltrating numerous companies [5], including Moderna [5].
Conclusion
Organizations using Confluence applications are advised to upgrade to the latest versions and isolate them from the public internet until the fixes are implemented [5]. This cyberespionage operation highlights the ongoing threat posed by state-sponsored hackers and the importance of proactive security measures. It also underscores the need for constant vigilance and prompt response to vulnerabilities in software systems. By staying informed and taking appropriate actions, organizations can mitigate the risks and protect their sensitive information from unauthorized access.
References
[1] https://www.tradingview.com/news/benzinga:439cff1a0094b:0-atlassian-under-siege-from-chinese-hackers-microsoft-discovers/
[2] https://robots.net/news/new-critical-atlassian-zero-day-exploited-by-state-backed-hackers-microsoft-says/
[3] https://www.darkreading.com/threat-intelligence/microsoft-chinese-apt-behind-atlassian-confluence-attacks-pocs-appear
[4] https://vulnera.com/newswire/microsoft-identifies-nation-state-threat-actor-behind-confluence-zero-day-attacks/
[5] https://mrhacker.co/vulnerabilities/microsoft-warns-of-nation-state-hackers-exploiting-critical-atlassian-confluence-vulnerability
[6] https://techcrunch.com/2023/10/11/chinese-state-hackers-atlassian-zero-day/
