The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly issued a warning to network administrators. The warning urges immediate patching of Atlassian Confluence servers against a high-severity flaw that is currently being exploited in attacks. This flaw, identified as CVE-2023-22515, is a critical privilege escalation vulnerability that affects Confluence Data Center and Server 8.0.0 and later versions. It can be remotely exploited in low-complexity attacks without any user interaction.
On October 4, Atlassian released security updates and advised customers to upgrade their Confluence instances promptly to one of the fixed versions (i.e., 8.3.3 or later, 8.4.3 or later, 8.5.2 or later) as the bug was already being exploited as a zero-day. Those who couldn't upgrade were urged to disconnect the affected instances from the internet or shut them down. Administrators were also advised to look for signs of compromise, such as new or suspicious admin user accounts.
A week after CISA included the bug in its list of known exploited vulnerabilities, Microsoft revealed that a Chinese-backed threat group known as Storm-0062 (also referred to as DarkShadow or Oro0lxy) has been exploiting the flaw as a zero-day since at least September 14, 2023. The three organizations, CISA, FBI, and MS-ISAC, strongly urged network administrators to apply the upgrades provided by Atlassian immediately. They also encouraged organizations to search for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) mentioned in the advisory. If a potential compromise is detected, organizations should follow the incident response recommendations.
Data collected by cybersecurity firm Greynoise suggests that the exploitation of CVE-2023-22515 has been limited so far. However, the exploitation landscape could change rapidly with the release of proof-of-concept (PoC) exploits developed by pentester Valentin Lobstein and Sophee security engineer Owen Gong, as well as full technical details about the vulnerability published by Rapid7 researchers last week.
Given the ease of exploitation, CISA, FBI, and MS-ISAC anticipate widespread exploitation of unpatched Confluence instances in both government and private networks. It is therefore crucial to patch Confluence servers as soon as possible, especially considering their historical appeal to malicious actors. Past campaigns involving Linux botnet malware, crypto miners, and AvosLocker and Cerber2021 ransomware attacks highlight the urgency of the issue.
Last year, CISA ordered federal agencies to address another critical Confluence vulnerability (CVE-2022-26138) that was being exploited in the wild. This order was prompted by previous alerts from cybersecurity firm Rapid7 and threat intelligence company GreyNoise.