October 16, 2023 at 11:08AM
CISA, FBI, and MS-ISAC have issued a warning to network administrators to immediately patch their Atlassian Confluence servers due to a critical privilege escalation flaw (CVE-2023-22515) that is actively being exploited. The flaw affects Confluence Data Center and Server 8.0.0 and later versions. Atlassian has released security updates and advised customers to upgrade their instances. A Chinese-backed threat group called Storm-0062 has been exploiting this flaw as a zero-day since September 14, 2023. Network administrators are strongly encouraged to apply the upgrades and hunt for any malicious activity on their networks. The exploitation of the flaw is currently limited but expected to increase soon. It is crucial to patch Confluence servers given previous attacks on these systems.
Key takeaways from the meeting notes:
1. CISA, FBI, and MS-ISAC have issued a warning to network administrators to immediately patch their Atlassian Confluence servers against a critical privilege escalation flaw, tracked as CVE-2023-22515. This flaw is actively being exploited in attacks.
2. The vulnerability affects Confluence Data Center and Server versions 8.0.0 and later, and it can be remotely exploited without user interaction.
3. Atlassian has already released security updates on October 4, advising customers to upgrade their Confluence instances to fixed versions (8.3.3 or later, 8.4.3 or later, 8.5.2 or later) due to the zero-day exploitation.
4. For those unable to upgrade, shutting down affected instances or isolating them from Internet access is recommended. Additionally, administrators should check for indicators of compromise, such as new or suspicious admin user accounts.
5. Microsoft revealed that a Chinese-backed threat group called Storm-0062 (aka DarkShadow or Oro0lxy) has been exploiting the vulnerability as a zero-day since at least September 14, 2023.
6. Network administrators are strongly encouraged by CISA, FBI, and MS-ISAC to apply the Atlassian upgrades immediately and to hunt for any malicious activity on their networks using the provided detection signatures and indicators of compromise (IOCs).
7. While the exploitation of CVE-2023-22515 has been limited so far, the landscape could change with the release of proof-of-concept (PoC) exploits and full technical details about the vulnerability.
8. Widespread exploitation of unpatched Confluence instances in government and private networks is expected due to the ease of exploitation.
9. Patching Confluence servers promptly is crucial given their history of being targeted by malicious entities, including Linux botnet malware, crypto miners, and ransomware attacks.
10. This is not the first time CISA has addressed critical vulnerabilities in Confluence servers, as they previously ordered federal agencies to address another vulnerability (CVE-2022-26138) exploited in the wild.