October 11, 2023 at 03:40PM
China-sponsored APT Storm-0062 is responsible for exploiting a critical bug in Atlassian Confluence Server, according to Microsoft. Proof-of-concept exploits are now available, indicating potential mass exploitation. The vulnerability (CVE-2023-22515) allows remote code execution without authentication. Microsoft identified four IP addresses associated with the exploit and warned of the creation of a Confluence administrator account. A former student released a proof of concept on GitHub. The APT has links to Chinese state hackers and has targeted COVID-19-related research in the past. Organizations should upgrade Confluence applications and increase threat hunting.
Key takeaways from the meeting notes:
1. A China-sponsored advanced persistent threat (APT) called Storm-0062 is responsible for exploiting a critical bug in Atlassian Confluence Server and Confluence Data Center. Proof-of-concept exploits are now available, indicating potential mass exploitation.
2. The vulnerability (CVE-2023-22515) is remotely exploitable without authentication and should be seen as a code-execution tool. It has a severity ranking of 10 out of 10 on the CVSS vulnerability-severity scale.
3. Microsoft has provided additional details on the zero-day campaign, identifying four IP addresses associated with the exploit traffic. Any device with a network connection to a vulnerable application can exploit the bug to create a Confluence administrator account.
4. The Storm-0062 APT is also known as DarkShadow or Oro0lxy, and it is associated with Chinese state hackers Li Xiaoyu and Dong Jiazhi, who were previously indicted by the US Department of Justice for targeting companies involved in COVID-19 vaccines and treatments.
5. Chinese state-sponsored campaigns typically reflect the Chinese Communist Party’s pursuit of global influence and intelligence collection. The attacks often target US defense, critical infrastructure, nations in the South China Sea region, and China’s strategic partners.
6. Exploiting the Confluence bug provides attackers with a way to use the platform for launching attacks on other organizations. This represents a systemic supply chain attack, and businesses should be prepared for mass exploitation given the availability of public road maps for leveraging the vulnerability.
7. It is crucial for organizations with vulnerable Confluence applications to upgrade to fixed versions (8.3.3, 8.4.3, or 8.5.2 or later) and isolate the applications from the public Internet until the upgrade is completed.
8. In addition to patching, businesses should increase threat hunting efforts to identify evidence of this specific APT group. Deploying runtime security measures is also recommended to mitigate exploitation or zero-day attacks.