Dive Brief:
- A threat actor linked to China is exploiting a critical broken access control vulnerability in Atlassian Confluence to launch attacks since September, according to Microsoft Threat Intelligence.
- The company said a handful of customers that use Atlassian Confluence Data Center and Server have confirmed attacks where the vulnerability, listed as CVE-2023-22515, has allowed unauthorized actors to create administrator accounts and gain access to Confluence instances.
- Microsoft researchers observed the state-linked actor, which it identifies as Storm-0062, exploiting the critical vulnerability since Sept. 14.
Dive Insight:
Microsoft warns that organizations using vulnerable Confluence applications need to immediately upgrade to a fixed version. Users should disconnect from the public-facing internet until they are able to complete the upgrades.
Confluence warned customers about the vulnerability on Oct. 4 and is working with Microsoft and other experts to mitigate the situation.
“Our priority is the security of our customers’ instances and we are collaborating with industry leading threat intelligence partners, such as Microsoft, to obtain additional information that may assist customers with responding to the vulnerability,” an Atlassian spokesperson said via email.
Researchers at Imperva said they have seen at least 350,000 exploitation attempts since Atlassian first issued warnings about the vulnerability. These attacks have mainly targeted computing and financial services firms in the U.S., primarily originating from IP addresses in the U.S. and Germany.
Researchers at Rapid7 said they have not confirmed direct attacks among their customer base, however confirmed that the root cause of the vulnerability allows an attacker to modify application settings more broadly.
“It's likely there are additional endpoints and attack paths (beyond the ones Rapid7 used) that will allow for successful exploitation,” according to Stephen Fewer, principal security researcher at Rapid7. “We also tend to doubt that attackers are limited to creating a new administrative user.”
The threat actor Microsoft identifies as Storm-0062 is tracked by other researchers as DarkShadow or Oro0lxy.
The Department of Justice announced charges in 2020 against an alleged hacker named Li Xiaoyu, who was part of a tandem that allegedly worked with the Guangdong State Security Department. According to the indictment, Xiaoyu operated online under the name Oro0lxy.
The indictment alleged they were part of a global hacking campaign that for more than a decade targeted companies in the U.S., Japan and across Europe. During the prior campaign, the hackers attacked a range of industries, including manufacturing, pharmaceuticals, civil and industrial engineering and gaming.
As part of that alleged campaign, the DOJ alleged the hackers worked to extort cryptocurrency from one victim by threatening to release stolen source code. They also searched for vulnerabilities in companies developing Covid-19 vaccines.
A spokesperson for Microsoft said the company had nothing more to add beyond the initial warnings posted on X.
FBI officials declined to comment.