Skip to main content
close search
site logo
Dive Brief

Critical Atlassian Confluence CVE under exploit by prolific state-linked actor

Microsoft researchers warn a threat actor with ties to China has been exploiting the vulnerability since mid-September.

Published Oct. 13, 2023
David Jones's headshot
Reporter
An image of a digital lock is shown
Just_Super via Getty Images

Dive Brief:

  • A threat actor linked to China is exploiting a critical broken access control vulnerability in Atlassian Confluence to launch attacks since September, according to Microsoft Threat Intelligence.  
  • The company said a handful of customers that use Atlassian Confluence Data Center and Server have confirmed attacks where the vulnerability, listed as CVE-2023-22515, has allowed unauthorized actors to create administrator accounts and gain access to Confluence instances. 
  • Microsoft researchers observed the state-linked actor, which it identifies as Storm-0062, exploiting the critical vulnerability since Sept. 14.

Dive Insight:

Microsoft warns that organizations using vulnerable Confluence applications need to immediately upgrade to a fixed version. Users should disconnect from the public-facing internet until they are able to complete the upgrades. 

Confluence warned customers about the vulnerability on Oct. 4 and is working with Microsoft and other experts to mitigate the situation. 

“Our priority is the security of our customers’ instances and we are collaborating with industry leading threat intelligence partners, such as Microsoft, to obtain additional information that may assist customers with responding to the vulnerability,” an Atlassian spokesperson said via email. 

Researchers at Imperva said they have seen at least 350,000 exploitation attempts since Atlassian first issued warnings about the vulnerability. These attacks have mainly targeted computing and financial services firms in the U.S., primarily originating from IP addresses in the U.S. and Germany.

Researchers at Rapid7 said they have not confirmed direct attacks among their customer base, however confirmed that the root cause of the vulnerability allows an attacker to modify application settings more broadly.

“It's likely there are additional endpoints and attack paths (beyond the ones Rapid7 used) that will allow for successful exploitation,” according to Stephen Fewer, principal security researcher at Rapid7. “We also tend to doubt that attackers are limited to creating a new administrative user.”

The threat actor Microsoft identifies as Storm-0062 is tracked by other researchers as DarkShadow or Oro0lxy. 

The Department of Justice announced charges in 2020 against an alleged hacker named Li Xiaoyu, who was part of a tandem that allegedly worked with the Guangdong State Security Department. According to the indictment, Xiaoyu operated online under the name Oro0lxy. 

The indictment alleged they were part of a global hacking campaign that for more than a decade targeted companies in the U.S., Japan and across Europe. During the prior campaign, the hackers attacked a range of industries, including manufacturing, pharmaceuticals, civil and industrial engineering and gaming.

As part of that alleged campaign, the DOJ alleged the hackers worked to extort cryptocurrency from one victim by threatening to release stolen source code. They also searched for vulnerabilities in companies developing Covid-19 vaccines.

A spokesperson for Microsoft said the company had nothing more to add beyond the initial warnings posted on X. 

FBI officials declined to comment. 

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell