October 10, 2023 at 07:54PM
Researchers at Microsoft have identified a known nation-state threat actor, referred to as Storm-0062, as responsible for the recent zero-day exploits targeting Atlassian’s Confluence Data Center and Server products. The malicious activity had been ongoing since September 14, before Atlassian publicly disclosed the issue. Microsoft has provided IP addresses related to the exploit traffic and warned organizations to upgrade their Confluence applications to the fixed versions to prevent further exploitation. Atlassian has confirmed evidence of a nation-state actor actively exploiting the vulnerability.
Key Takeaways from the Meeting Notes:
1. Researchers at Microsoft have identified a nation-state threat actor known as Storm-0062 behind the zero-day exploits in Atlassian’s Confluence Data Center and Server products.
2. The malicious activity linked to Storm-0062 started on September 14, three weeks prior to Atlassian’s public disclosure of the issue.
3. Storm-0062, also known as DarkShadow or Oro0lxy, has been observed conducting cyberespionage operations for China’s Ministry of State Security.
4. Microsoft has provided four IP addresses associated with exploit traffic targeting the CVE-2023-22515 vulnerability, which allows for privilege escalation and unauthorized access to Confluence instances.
5. Both Microsoft and Atlassian emphasize the urgency of applying patches and upgrading to fixed versions (8.3.3, 8.4.3, or 8.5.2 or later) to mitigate the risks.
6. Atlassian confirms evidence of a known nation-state actor actively exploiting the bug.
7. Instances of Confluence Server and Confluence Data Center on the public internet are particularly vulnerable to this remotely exploitable privilege escalation issue.
8. Atlassian advises businesses to check for indicators of compromise, such as unexpected members of the confluence-administrator group, newly created user accounts, and specific entries in network access logs and exception messages.
9. If a compromised instance is identified, Atlassian recommends shutting down and disconnecting the server from the network, as well as other potentially affected systems with shared user bases or common username/password combinations.
10. Atlassian’s software products have previously been targeted by both cybercriminals and state-sponsored threat actors, as highlighted by the six distinct Confluence vulnerabilities in CISA’s KEV catalog.