Microsoft has identified a severe vulnerability in the Atlassian Confluence Data Center and Server, which, it says, has been exploited by a nation-state entity known as Storm-0062 (also referred to as DarkShadow or Oro0lxy).
According to Microsoft’s threat intelligence crew, the exploit has been observed in action since September 14, 2023.
The vulnerability, labelled as CVE-2023-22515, is described as a critical privilege escalation flaw within Atlassian’s Confluence Data Center and Server. This flaw could be exploited if a device is network-connected to a susceptible application, allowing the perpetrator to create an administrator account within the Confluence application.
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023
The cybersecurity implications
CVE-2023-22515, with a maximum severity score of 10.0 on the CVSS scale, enables remote attackers to fabricate unauthorized administrator accounts and gain access to Confluence servers. Atlassian has released patches for this flaw in its versions 8.3.3, 8.4.3 and 8.5.2 (Long Term Support release) or later.
The exact extent of the attacks remains unclear. Still, Atlassian became aware of the issue through reports from a few customers, indicating that the threat actor exploited this vulnerability as a zero-day.
Notably, Oro0lxy is a digital pseudonym used by Li Xiaoyu, a hacker from China who, as per the U.S. Department of Justice (DoJ) allegations in July 2020, infiltrated numerous companies across the U.S., Hong Kong, and China, Moderna – a coronavirus vaccine research developer, being among them.
Recommended actions and broader concerns
Xiaoyu is believed to be associated with the Guangdong regional division of China’s Ministry of State Security (MSS), operated at times for personal financial gain and at others for the advantage of MSS or other Chinese government entities, as per the DoJ. The DoJ described the hacking activities as a significant and sophisticated threat involving the theft of terabytes of data from U.S. networks.
Companies using Confluence applications are strongly advised to update to the newest versions to lessen the risks and to keep these applications off the public internet until the remedial measures are implemented.
