Microsoft Security has shed light on the ongoing activities of the ‘Storm-0062‘ threat group, also known as DarkShadow or Oro0lxy. Linked to China's Ministry of State Security, the group is reported to have been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023.
Atlassian Notification and Response
Despite being aware of the active exploitation of CVE-2023-22515, Atlassian withheld specifics about the attackers exploiting the vulnerability at the time of the revelation on October 4, 2023. The company only published security update details in early October, indicating Storm-0062 had been exploiting the flaw as a zero-day vulnerability for nearly three weeks, with the ability to create arbitrary administrator accounts on exposed endpoints.
The threat group has a track record of targeting software, engineering, medical research, government, defense, and tech firms in the U.S., U.K., Australia, and various European countries for intelligence gathering. The United States charged the group's hackers in July 2020 for extensive data theft via government organizations and worldwide companies.
Proof of Concept Exploit Available, Upgrade Urged
Cybersecurity firm Greynoise tracks vulnerabilities as they spread and suggests the exploitation of CVE-2023-22515 has been limited. Notwithstanding, the release of a proof-of-concept exploit by Rapid7 researchers could see increased vulnerability. The researchers demonstrated bypassing security checks and using a cURL command to send a malicious HTTP request to exposed endpoints, leading to the crafting of new admin users with a known password to the attacker.
The exploit also carries the risk of being entirely covert due to an additional request preventing notifications about setup completion to other users. Atlassian has rolled out updated security protocols for the affected products, urging users who haven't upgraded yet to do so. Note that versions before 8.0.0, as well as Atlassian-hosted instances at atlassian.netdomains, are not susceptible to these attacks.