Chinese Hackers Exploit Atlassian Confluence Vulnerability


A critical Atlassian Confluence vulnerability has been identified in the Data Center, and Server marked as CVE-2023-22515. The critical vulnerability has been targeted by Chinese state-backed actors, as disclosed by Microsoft’s threat analysts. 

Initially categorized as a critical privilege escalation vulnerability affecting Confluence Data Center and Server versions 8.0.0 and onwards, it was later re-classified as an issue originating from broken access control.

The organization updated its advisory for the vulnerability on Oct 4th 2023 wherein the vulnerability affects products like Confluence Data Center and Confluence Server.

Atlassian Confluence Vulnerability Exploited by Nation-Backed Threat Actors

Atlassian reported that numerous customers had fallen victim to attacks wherein external assailants leveraged the Confluence vulnerability to establish unauthorized Confluence administrator accounts and gain access to Confluence instances. 

The organization also revealed compelling evidence indicating an active exploitation of CVE-2023-22515 by Chinese state-backed actors. Microsoft’s security experts have been closely monitoring a nation-state threat actor, referred to as Storm-0062 (also recognized as DarkShadow or Oro0lxy), who has been exploiting CVE-2023-22515 since September 14. 

Rapid7 researchers have released a detailed technical analysis of CVE-2023-22515, along with associated indicators of compromise. According to Atlassian’s information, this Atlassian Confluence vulnerability was initially exploited in the wild as a zero-day vulnerability, before the availability of a patch. 

The attacker’s tactics included utilizing CVE-2023-22515 to create a new administrator user. However, it is believed that this is just one possible method of leveraging the vulnerability.

Their analysis concludes that an unauthenticated attacker can remotely exploit the Confluence vulnerability to establish a new administrator account on the target Confluence server. This can lead to a complete compromise of the data stored on the server.

Microsoft Takes on the Vulnerability 

Atlassian Confluence vulnerability
Source: Twitter

Microsoft has announced the involvement of Chinese state-backed actors taking advantage of the Confluence vulnerability in the Confluence Data Center and Server. With a severity rating of 10.0 on the CVSS scale, this flaw poses a serious threat.

Organizations that rely on Confluence applications are strongly urged to upgrade to the latest versions as soon as possible to mitigate potential risks. In addition, it is recommended to isolate these applications from public internet access until the necessary fixes are in place.

This vulnerability is particularly alarming due to its network accessibility, making any device connected to a vulnerable application susceptible to exploitation. Given that it affects Confluence, a platform central to internal knowledge sharing, its impact potential is substantial. CVE-2023-22515 is a critical vulnerability that demands immediate attention from organizations using Atlassian Confluence. Interested users can click here to check out the official updated advisory and mitigation techniques as shared by Atlassian. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link