Malicious exploitation of a significant vulnerability in Atlassian Confluence by a widely active state-sponsored hacking group
Critical Atlassian Confluence Vulnerability Remains Unpatched for Many Users
A critical vulnerability, CVE-2023-22515, in Atlassian Confluence Data Center and Server continues to pose a significant threat to users running versions 8.0.0 through 8.5.1. This vulnerability, which was first identified in September, allows for broken access control, authentication bypass, and potential remote code execution.
Atlassian has issued security advisories recommending users upgrade to fixed versions 8.3.3, 8.4.3, or 8.5.2 (Long Term Support) or later to mitigate the risk. In addition to upgrading, Atlassian advises users to implement network and configuration mitigations such as restricting external network access, blocking access to specific endpoints like , and taking vulnerable instances offline if patches are not immediately possible.
While there have been reports of known attacks linked to the Storm-0062 threat actor, there is no definitive public evidence connecting this vulnerability or its exploitation to Storm-0062. However, nation-state actors have exploited zero-day vulnerabilities in Confluence broadly, adding a sense of urgency to patching.
The hacking campaign attributed to Storm-0062 has targeted a range of industries, including manufacturing, pharmaceuticals, civil and industrial engineering, and gaming. The threat actor, also known as DarkShadow or Oro0lxy, has been linked to China and has been active for over a decade.
The attacks have mainly targeted computing and financial services firms in the U.S., primarily originating from IP addresses in the U.S. and Germany. In some cases, the hackers have worked to extort cryptocurrency from victims by threatening to release stolen source code.
Organizations using vulnerable Confluence applications are strongly advised to immediately upgrade to a fixed version and disconnect from the public-facing internet until upgrades are complete. Researchers at Imperva have seen at least 350,000 exploitation attempts since Atlassian first issued warnings about the vulnerability.
Atlassian has emphasized the priority it places on the security of its customers' instances and is collaborating with Microsoft and other experts to mitigate the situation. The Department of Justice announced charges against an alleged hacker named Li Xiaoyu, who operated online under the name Oro0lxy, in 2020.
The FBI declined to comment on the matter, and Microsoft had nothing more to add beyond the initial warnings posted on the issue. Atlassian warned customers about the vulnerability on Oct. 4. Li Xiaoyu was part of a global hacking campaign that targeted companies in the U.S., Japan, and across Europe for more than a decade.
In summary, CVE-2023-22515 is actively tracked as a serious security issue, with available patches widely recommended. Exploits are possible and have been noted by security vendors, driving urgency in patching. However, no definitive public reports currently link Storm-0062 to attacks exploiting this particular vulnerability. For effective defense, users should prioritize upgrading Confluence to the fixed versions and implement network and configuration mitigations as advised by Atlassian.
- Given the unresolved CVE-2023-22515 vulnerability in Atlassian Confluence, technology and cybersecurity professionals must emphasize the importance of threat intelligence, especially in the context of general-news relating to cybersecurity.
- As the Storm-0062 hacking group, known for its association with crime-and-justice activities, continues to target various industries, it is crucial to remain vigilant for potential exploitation of vulnerabilities like CVE-2023-22515 in critical systems.
- In light of the ongoing concern over exploitation attempts on CVE-2023-22515, cybersecurity agencies should pay close attention to vulnerabilities in technology, prioritizing proactive measures to prevent unauthorized access and potential remote code execution, such as thorough patch management and robust network mitigations.
