Microsoft: State Hackers Exploiting Confluence Zero-day Since September

Cyber Security Threat Summary:
Microsoft says a Chinese-backed threat group tracked as 'Storm-0062' (aka DarkShadow or Oro0lxy) has been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023” (Bleeping Computer, 2023). Atlassian disclosed CVE-2023-22515 and it’s active exploitation last week, but did not share specifically which threat groups were leveraging the vulnerability in the wild. Microsoft shared more information on Storm-0062’s usage of the vulnerability and shared four offending IP addresses on social media.

Security Officer Comments:
While security updates were released quickly, Storm-0062 was able to exploit the flaw as a zero-day for nearly three weeks, using it to create arbitrary administrator accounts on exposed endpoints. Storm-0062 is a state sponsored hacking group linked to China’s Ministry of State Security. The group is known to target software, engineering, medical research, government, defense, and tech firms in the United States, U.K., Australia, and other European countries. Back in July 2020, the United States charged several of this groups hackers with stealing terabytes of data by hacking government organizations and companies worldwide.

According to researchers, active exploitation of this vulnerability appears to be limited. That being said, Rapid7 researchers have released a proof-of-concept with full technical details, so we expect attacks exploiting the vulnerability to increase.

“Rapid7 analysts showed how attackers could bypass existing security checks on the product and which cURL command can be used to send a crafted HTTP request on vulnerable endpoints that creates new administrator users with a password known to the attacker” (Bleeping Computer, 2023). Most concerningly, the exploitation is quite stealthy, and users may not receive any notification that a new administrator account has been setup.

According to Microsoft, these four IP addresses below were observed sending related CVE-2023-22515 exploit traffic:

  • 192.69.90[.]31
  • 104.128.89[.]92
  • 23.105.208[.]154
  • 199.193.127[.]231
Suggested Correction(s):
If you haven't done so yet, it is recommended to upgrade to one of the following fixed Atlassian Confluence releases:
    8.3.3 or later 8.4.3 or later 8.5.2 (Long-Term Support release) or later
Note that CVE-2023-22515 flaw doesn't impact Confluence Data Center and Server versions before 8.0.0, so users of older releases don't need to take any action. The same applies to Atlassian-hosted instances at atlassian[.]net domains, which are not vulnerable to these attacks.

For more details on the indicators of compromise, upgrade instructions, and a complete list of affected product versions, check Atlassian's security bulletin.