Confluence Zero-Day Vulnerability Exploited by Chinese-Backed Threat Group

Microsoft has revealed that a Chinese-backed threat group, known as ‘Storm-0062’ (aka DarkShadow or Oro0lxy), has been actively exploiting a critical privilege escalation zero-day vulnerability in the Atlassian Confluence Data Center and Server since September 14, 2023.

Atlassian Confluence Zero-Day Vulnerability

Atlassian informed its customers about the active exploitation status of CVE-2023-22515 on October 4, 2023. However, specific details regarding the threat groups behind this vulnerability exploitation were withheld.

Today, Microsoft Threat Intelligence analysts have shared additional information about Storm-0062’s involvement in the exploitation of CVE-2023-22515. They have also posted four IP addresses associated with this threat group on Twitter.

Considering that Atlassian released security updates in early October, Storm-0062 exploited this flaw as a zero-day bug for nearly three weeks, creating arbitrary administrator accounts on exposed endpoints.

Storm-0062 hacking group’s motive

Storm-0062 is a state-sponsored hacking group linked to China’s Ministry of State Security. It is well-known for targeting software, engineering, medical research, government, defense, and tech firms in the U.S., U.K., Australia, and various European countries to gather intelligence.

The United States had charged these Chinese hackers in July 2020 for stealing terabytes of data by hacking government organizations and companies worldwide.

Regarding the exploitation of CVE-2023-22515, data collected by cybersecurity company Greynoise suggests that its scope is very limited. However, there’s a potential shift in the exploitation landscape as Rapid7 researchers released a proof-of-concept (PoC) exploit and detailed technical information about the vulnerability.

Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.

— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023

Rapid7 analysts demonstrated how attackers could bypass existing security checks on the product and utilize a cURL command to send a crafted HTTP request on vulnerable endpoints, thereby creating new administrator users with passwords known to the attacker. Their comprehensive write-up also includes an additional request that ensures other users won’t receive notifications about the setup’s completion, making the compromise stealthier.

Confluence Zero-Day Vulnerability Security Update

Since Atlassian released security updates for the affected products a week ago, users have had ample time to respond before the public release of the PoC exploit.

If you haven’t done so already, it is recommended to upgrade to one of the following fixed Atlassian Confluence releases:

• 8.3.3 or later
• 8.4.3 or later
• 8.5.2 (Long-Term Support release) or later

It’s important to note that the CVE-2023-22515 flaw doesn’t impact Confluence Data Center and Server versions before 8.0.0, so users of older releases need not take any action.

This exemption also applies to Atlassian-hosted instances at atlassian.net domains, which are not vulnerable to these attacks.

For more information on indicators of compromise, upgrade instructions, and a complete list of affected product versions, please refer to Atlassian’s security bulletin.