October 11, 2023 at 10:35AM
A Chinese-backed threat group, known as Storm-0062 or DarkShadow, has been exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server since September 2023. Microsoft has shared more information about the group’s involvement and identified four offending IP addresses. The vulnerability allows the group to create arbitrary administrator accounts. A proof-of-concept exploit has been released, potentially increasing the chances of exploitation. Atlassian has released security updates and users are advised to upgrade to fixed versions. Earlier versions and Atlassian-hosted instances are not affected. For more information, refer to Atlassian’s security bulletin.
Key Takeaways from the Meeting Notes:
1. A Chinese-backed threat group called ‘Storm-0062’ has been exploiting a critical privilege escalation zero-day in Atlassian Confluence Data Center and Server since September 14, 2023.
2. Atlassian notified customers about the active exploitation of CVE-2023-22515 on October 4, 2023, but did not disclose specific details about the threat group using the vulnerability.
3. Microsoft Threat Intelligence analysts revealed more information about Storm-0062’s involvement in exploiting CVE-2023-22515 and shared four offending IP addresses on Twitter.
4. Storm-0062 exploited the zero-day bug for nearly three weeks, creating arbitrary administrator accounts on exposed endpoints.
5. Storm-0062 is a state hacking group associated with China’s Ministry of State Security and has targeted various industries and countries for intelligence purposes.
6. The United States charged the Chinese hackers involved in the group in July 2020 for stealing significant amounts of data.
7. While the exploitation of CVE-2023-22515 seems limited based on data from Greynoise, the release of a proof-of-concept exploit and technical details by Rapid7 researchers may change the landscape.
8. Rapid7 analysts demonstrated how attackers can bypass security checks and create new administrator users with a known password using a crafted HTTP request.
9. Atlassian rolled out security updates for affected products a week ago, providing users time to respond before the public release of the PoC exploit.
10. Users are advised to upgrade to fixed Atlassian Confluence releases 8.3.3 or later, 8.4.3 or later, or 8.5.2 (Long-Term Support release) or later.
11. The CVE-2023-22515 flaw does not impact Confluence Data Center and Server versions before 8.0.0, and Atlassian-hosted instances at atlassian.net domains are not vulnerable.
12. More information, including indicators of compromise, upgrade instructions, and a complete list of affected product versions, can be found in Atlassian’s security bulletin.