A bug in Atlassian’s Confluence data centre and server software is under attack, allegedly from threat actors in China.
Atlassian disclosed the zero-day vulnerability, CVE-2023-22515, last week, saying a small number of customers had suffered exploitation.
Now, in a series of messages posted to X (formerly Twitter), Microsoft said it had identified attack traffic it attributes to a threat actor dubbed Storm-0062, beginning on September 14.
Microsoft sourced the attacks to the following four IP addresses: 192.69.90.31, 104.128.89.92, 23.105.208.154, and 199.193.127.231.
“Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application,” the company added.
Microsoft noted that “Storm-0062 is tracked by others as DarkShadow or Oro0lxy.”
While Microsoft didn’t specifically identify China in its messages, Oro0lxy is an alias used by Li Xiaoyu, a Chinese national the US Department of Justice (DoJ) accused of hacking on behalf of China’s Ministry of State Security in a June 2020 indictment [pdf].
The DoJ said Xiaoyu and Dong Jiazhi were prolific hackers who breached hundreds of companies in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, Spain, South Korea, Sweden, and the United Kingdom over a 10-year period.