Chinese State-Sponsored Hackers Exploit Critical Flaw in Atlassian Software
Microsoft Warns of State-Sponsored Hackers Exploiting Critical Atlassian Confluence Vulnerability
Microsoft has linked exploiting a recently disclosed critical vulnerability in Atlassian Confluence Data Center and Server to a state-sponsored threat actor tracked by Microsoft as Storm-0062 (also known as DarkShadow or Oro0lxy).
Microsoft’s threat intelligence team said it observed attacks exploiting the vulnerability in the wild beginning on September 14, 2023.
“CVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server,” Microsoft noted in several posts. “Any device with network access to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application.”
CVE-2023-22515, rated 10.0 on the CVSS severity scale, allows remote attackers to create unauthorized Confluence administrator accounts and access Confluence servers. The vulnerability has been addressed in Confluence versions 8.3.3 or later, 8.4.3 or after, and 8.5.2 Long Term Support release or later.
While the exact scale of attacks is unclear, Atlassian said it was alerted to the problem by “a handful of customers,” indicating exploitation as a zero-day by the threat actor.
Notably, Oro0lxy refers to a hacking alias of Li Xiaoyu, a Chinese cybercriminal accused in July 2020 by the U.S. Department of Justice of infiltrating “hundreds of companies” in the U.S., Hong Kong, and China, including vaccine developer Moderna.
Xiaoyu was allegedly assigned to the Guangdong division of China’s Ministry of State Security. The DOJ said, “The defendants, in some instances, acted for their financial gain, and in others for the benefit of the MSS or other Chinese government agencies.”
Organizations using Confluence are highly recommended to upgrade to the latest versions to mitigate potential threats and isolate public-facing applications until fixes are applied.
