HomeWinBuzzer NewsChinese-Backed Threat Group Exploits Confluence Zero-Day since September

Chinese-Backed Threat Group Exploits Confluence Zero-Day since September

Atlassian were aware of CVE-2023-22515's misuse and later confirmed Storm-0062 exploited it for three weeks to create admin accounts.

-

Microsoft Security has shed light on the ongoing activities of the ‘Storm-0062‘ threat group, also known as DarkShadow or Oro0lxy. Linked to China's Ministry of State Security, the group is reported to have been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023.

Atlassian Notification and Response

Despite being aware of the active exploitation of CVE-2023-22515, Atlassian withheld specifics about the attackers exploiting the vulnerability at the time of the revelation on October 4, 2023. The company only published security update details in early October, indicating Storm-0062 had been exploiting the flaw as a zero-day vulnerability for nearly three weeks, with the ability to create arbitrary administrator accounts on exposed endpoints.

The threat group has a track record of targeting software, engineering, medical research, government, defense, and tech firms in the U.S., U.K., Australia, and various European countries for intelligence gathering. The United States charged the group's hackers in July 2020 for extensive data theft via government organizations and worldwide companies.

Proof of Concept Exploit Available, Upgrade Urged

firm Greynoise tracks vulnerabilities as they spread and suggests the exploitation of CVE-2023-22515 has been limited. Notwithstanding, the release of a proof-of-concept exploit by Rapid7 researchers could see increased vulnerability. The researchers demonstrated bypassing security checks and using a cURL command to send a malicious HTTP request to exposed endpoints, leading to the crafting of new admin users with a known password to the attacker.

The exploit also carries the risk of being entirely covert due to an additional request preventing notifications about setup completion to other users. Atlassian has rolled out updated security protocols for the affected products, urging users who haven't upgraded yet to do so. Note that versions before 8.0.0, as well as Atlassian-hosted instances at atlassian.netdomains, are not susceptible to these attacks.

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

Mastodon