October 17, 2023 at 09:06AM
US authorities have urged network admins to patch a critical vulnerability in Atlassian Confluence Data Center and Server due to ongoing nation-state exploitation. The potential consequences of the exploit are severe, as attackers could create new admin accounts for themselves. The attackers have already demonstrated sophistication by attempting to modify configuration files. Authorities recommend immediately applying patches and proactively searching for intrusions or malicious activity on the network. Microsoft has confirmed that nation-state attackers have already begun exploiting the vulnerability.
Key Takeaways from the Meeting Notes:
1. Urgent plea to network admins to patch the critical vulnerability in Atlassian Confluence Data Center and Server.
2. CVE-2023-22515 was disclosed on October 4 and has a CVSS score of 10.
3. Potential consequences of exploit include creating new admin accounts for attackers.
4. Organizations express a strong degree of immediacy in updating due to sophisticated attackers attempting exploits.
5. Attackers with successful exploits can modify configuration files and carry out other tasks.
6. CISA, FBI, and MS-ISAC expect widespread exploitation of unpatched Confluence instances.
7. Along with patching, proactive hunting for intrusions or malicious activity is recommended.
8. If an instance is compromised, admin accounts created by attackers must be removed, and other damage assessed.
9. The secure versions protected from the vulnerability are listed in the meeting notes.
10. Organizations should review all affected Confluence instances for compromise and follow Atlassian’s guidelines.
11. Microsoft confirmed that nation-state attackers have already begun exploiting CVE-2023-22515.
12. Storm-0062, a Chinese state-backed group, is known to be exploiting the vulnerability.
13. Atlassian did not provide specific information on the number of unpatched instances.
14. GreyNoise data indicates a low number of unique IPs attempting to exploit the vulnerability.
15. The increase in exploit attempts followed the release of proof-of-concept code on October 10.
16. Immediate action is strongly advised to address the potential risks associated with the vulnerability.
17. Microsoft and the FBI are aware of IPs sending exploit traffic.
18. For those unable to apply patches immediately, Atlassian provides limited mitigations but emphasizes the need to upgrade as soon as possible.