Microsoft has identified a nation-state threat actor, Storm-0062, as the entity behind the zero-day exploits targeting Atlassian’s Confluence Data Center and Server products. The malicious activity by this actor, also tracked as DarkShadow or Oro0lxy, dates back to September 14, three weeks before Atlassian’s public disclosure of the issue.
Microsoft stated, “Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023.” It has been observed that Storm-0062 has been conducting cyberespionage operations for China’s Ministry of State Security.
Microsoft shared four IP addresses linked to the exploit traffic targeting the critical CVE-2023-22515 privilege escalation vulnerability. The company warned that any device with a network connection to a vulnerable application could exploit this vulnerability to create a Confluence administrator account within the application. Microsoft urged organizations with vulnerable Confluence applications to upgrade as soon as possible to a fixed version and isolate vulnerable Confluence applications from the public internet until they are upgraded.
Atlassian confirmed that a known nation-state actor is actively exploiting the bug and released an urgent patch for the issue on October 4. The company stated, “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.”
The vulnerability, tracked as CVE-2023-22515, is a remotely exploitable privilege escalation issue affecting on-prem instances of Confluence Server and Confluence Data Center. Atlassian warned that instances on the public internet are particularly at risk and that upgrading will not remove the compromise if an instance has already been compromised.
Atlassian advised business users to immediately check all affected Confluence instances for indicators of compromise and to disconnect the server from the network/Internet if their instance has been compromised. Atlassian’s software products have been targeted in the past by both cybercriminal and state-sponsored threat actors. The CISA’s KEV (Known Exploited Vulnerabilities) catalog lists six distinct Confluence vulnerabilities that require urgent attention.