CISA, FBI, and MS-ISAC warned network admins today to immediately patch their Atlassian Confluence servers against a maximum severity flaw actively exploited in attacks.
Tracked as CVE-2023-22515, this critical privilege escalation flaw affects Confluence Data Center and Server 8.0.0 and later and is remotely exploitable in low-complexity attacks that don’t require user interaction.
On October 4, when it released security updates, Atlassian advised customers to upgrade their Confluence instances as soon as possible to one of the fixed versions (i.e., 8.3.3 or later, 8.4.3 or later, 8.5.2 or later) as the bug was already exploited in the wild as a zero-day.
Those who couldn’t upgrade were urged to shut down impacted instances or isolate them from Internet access. Admins were also advised to check for indicators of compromise, including new or suspicious admin user accounts.
One week after CISA added the bug to its list of known exploited vulnerabilities, Microsoft revealed that a Chinese-backed threat group tracked as Storm-0062 (aka DarkShadow or Oro0lxy) has been exploiting the flaw as a zero-day since at least September 14, 2023.
“CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian,” the three organizations warned today.
“CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations.”
Widespread exploitation warning
Data gathered by cybersecurity firm Greynoise indicates that the exploitation of CVE-2023-22515 seems very limited so far.
Nevertheless, the landscape of exploitation could shift soon, with the release of proof-of-concept (PoC) exploits [1, 2] developed by pentester Valentin Lobstein and Sophee security engineer Owen Gong, as well as full technical details about the vulnerability published by Rapid7 researchers last week.
“Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks,” the joint advisory warns.
Patching Confluence servers as soon as possible is of utmost importance, given their historical appeal to malicious entities. Previous campaigns involving Linux botnet malware, crypto miners, and AvosLocker and Cerber2021 ransomware attacks underscore the issue’s urgency.
Last year, CISA ordered federal agencies to address another critical Confluence vulnerability (CVE-2022-26138) exploited in the wild. This was prompted by prior alerts from cybersecurity firm Rapid7 and threat intelligence company GreyNoise.