The Chinese state-sponsored threat actor known as Storm-0062 (aka DarkShadow and Oro0lxy) exploited a critical zero-day vulnerability in Atlassian Confluence Data Center and Server for almost three weeks before it was patched.
Atlassian disclosed the vulnerability, designated CVE-2023-22515, on October 4th, the same day the patch was released. However, Atlassian did not indicate at the time that the vulnerability was being actively exploited in the wild.
An October 11th announcement by Microsoft security researchers indicated that Storm-0062 was able to use this vulnerability to create rogue admin accounts on target endpoints. Once created, Storm-0662 can simply log in to the server using their newly created account credentials and manipulate the server as they see fit.
A day before Microsoft’s announcement, the proof-of-concept (POC) exploit code and full technical details of the vulnerability were released by separate security researchers. These details essentially contain a step-by-step guide for compromising unpatched Confluence instances using a simple Curl command to create rogue admin accounts.
CVE-2023-22515 affects versions 8.3.3, 8.4.3, and 8.5.2 or later releases. Versions before 8.0.0 and Atlassian-hosted instances using Atlassian.net domains are not affected.
Source: Bleeping Computer
Analysis
Atlassian’s Confluence Server allows organizations to create, collaborate, and organize work, projects, and documents. As a result, this Server could contain valuable information on an organization’s intellectual property and other sensitive information, making it a high-value target for espionage-motivated threat actors.
It’s likely that the ability to exploit the zero-day vulnerability was limited to Storm-0062 and deployed against limited targets. However, with the release of POC code and technical details, it’s likely a matter of time before other threat actors begin targeting unpatched Confluence instances exposed to the internet.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software such as Confluence. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of the affected versions of Confluence to update to the latest version as soon as possible.
Related articles