Microsoft Confirms Chinese State-Backed Atlassian Confluence Attacks


Key Takeaways:

  • The Chinese-backed threat group (Storm-0062) is actively exploiting a zero-day vulnerability (CVE-2023-22515) in Atlassian’s Confluence Server and Data Center.
  • Proof-of-concept exploits for this critical vulnerability are publicly available, heightening the risk of mass exploitation by unauthorized users who can gain administrative access to affected Confluence platforms.
  • Atlassian has already released a patch and recommends that organizations upgrade to secure versions or disconnect vulnerable installations from the Internet.

Microsoft has revealed that a Chinese-backed threat group, known as Storm-0062, is currently exploiting a critical zero-day vulnerability in Atlassian Confluence Server and Confluence Data Center. The proof-of-concept exploits for this vulnerability are now publicly available, raising the alarming possibility of mass exploitation.

Last week, Atlassian acknowledged the remotely exploitable privilege-escalation vulnerability (CVE-2023-22515) that affects on-premises instances of the platforms. The vulnerability could enable a remote hacker to create unauthorized administrator accounts to access Confluence servers. The zero-day security flaw has been actively exploited in the wild since September 14.

Now, the Microsoft Threat Intelligence team has shared more information about the China-sponsored advanced persistent threat (APT) behind these attacks. The company identified four IP addresses that have been sending exploit traffic to target the critical privilege escalation vulnerability.

“The four IP addresses below were observed sending related CVE-2023-22515 exploit traffic: 192.69.90[.]31; 104.128.89[.]92; 23.105.208[.]154; 199.193.127[.]231,” the Microsoft Threat Intelligence team explained. “any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application.”

Atlassian’s Confluence: A prime target for cyberattackers

Fortunately, Atlassian has already released an update to address the security issue in Atlassian software. The company has advised organizations to upgrade to versions 8.3.3, 8.4.3, or 8.5.2 or later. Atlassian advises customers to disconnect vulnerable Confluence installations from the internet until they have applied the necessary security patch.

This isn’t the first instance where Atlassian’s products have fallen prey to cyberattacks. Last year, a remote code execution flaw (CVE-2022-26134) was identified in Atlassian’s Confluence Server and Data Center. Security researchers identified that there were spikes of up to 100,000 daily attempts to exploit this vulnerability. These attacks primarily targeted the high-tech, commerce, and financial services industries.