October 16, 2023 at 10:46AM
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint Cybersecurity Advisory (CSA) about the active exploitation of CVE-2023-22515, a vulnerability in Atlassian Confluence Data Center and Server. This vulnerability allows cyber threat actors to gain unauthorized access to Confluence instances. Organizations are urged to update their software and be vigilant for malicious activity on their networks.
Meeting Summary:
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are jointly releasing a Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This vulnerability affects certain versions of Atlassian Confluence Data Center and Server, allowing malicious actors to gain unauthorized access to Confluence instances. The vulnerability is rated as critical by Atlassian, and widespread exploitation is expected. Organizations are strongly encouraged to apply upgrades provided by Atlassian and hunt for malicious activity on their networks. More information, including upgrade instructions, affected versions, and indicators of compromise (IOCs), can be found in Atlassian’s security advisory.
Technical Details:
CVE-2023-22515 is a critical Broken Access Control vulnerability affecting specific versions of Atlassian Confluence Data Center and Server. Unauthenticated remote actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and gain access to Confluence instances. The vulnerability allows threat actors to modify critical configuration settings, potentially enabling further unauthorized actions. Atlassian has released a patch, but threat actors have already exploited it as a zero-day vulnerability. CISA, FBI, and MS-ISAC expect widespread exploitation of unpatched Confluence instances.
Post-Exploitation and Indicators of Compromise:
Post-exploitation exfiltration of data can be done using tools like cURL and Rclone. User-Agent strings observed in request headers include Python-requests/2.27.1 and curl/7.88.1. The report provides a list of IP addresses associated with data exfiltration and recommends network defenders to review and deploy Proofpoint’s Emerging Threat signatures. Logging should be configured to detect exploitation attempts. If compromise is suspected, organizations should review artifacts, audit logs, quarantine affected hosts, provision new account credentials, reimage compromised hosts, and report the compromise to the appropriate authorities.
Mitigations and Resources:
To mitigate the vulnerability, organizations are advised to upgrade to fixed versions provided by Atlassian. Best cybersecurity practices, such as implementing phishing-resistant multifactor authentication (MFA), are also recommended. The report provides additional resources and references for more information, including guidance from NIST, MITRE, CISA, and CIS.
Please let me know if there’s anything specific you would like me to focus on or if you need any additional information from the meeting notes.