Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 10] China-Backed Group Exploits Atlassian Vulnerability

Executive Summary

Microsoft uncovered a critical cybersecurity threat orchestrated by a Chinese-backed group, known as ‘Storm-0062‘ (or DarkShadow and Oro0lxy).

This group has been actively exploiting a critical zero-day broken access control vulnerability, known as CVE-2023-22515, in the Atlassian Confluence Data Center and Server since September 14, 2023. Their actions were discovered following an in-depth investigation by Microsoft.

In response to these findings, Atlassian made an announcement on October 4, 2023, alerting its customers about the ongoing exploitation of the specific vulnerability. However, Atlassian didn’t disclose specific details about the threat groups involved in these attacks.

Storm-0062’s audacity is evident as they exploited the zero-day vulnerability for nearly three weeks. During this time, they managed to create arbitrary administrator accounts on exposed endpoints, posing a grave security risk.

The release of a proof-of-concept (PoC) exploit and detailed technical information by researchers at Rapid7 has raised concerns. This PoC exploit provides attackers with a guide on how to bypass security measures and create new administrator accounts with known passwords.

Organizations should take immediate action to address the vulnerability and protect their systems. Please refer to Atlassian’s security bulletin for detailed instructions and guidance.

About the Vulnerability

The vulnerability exploited by Storm-0062 is tracked as CVE-2023-22515 and has a CVSS score of 9.8 by NIST, and 10 by Atlassian. It is classified as a broken access control vulnerability, which allows unauthorised users to gain elevated privileges and perform actions they should not have access to. It allows attackers to create arbitrary administrator accounts on exposed endpoints, potentially leading to unauthorized access, data exfiltration, and further compromise of the affected systems.

Please refer to our news article for more information about the vulnerability.

About the Exploit

Microsoft’s Threat Intelligence analysts shared information regarding Storm-0062’s activities related to the exploitation of CVE-2023-22515. They publicly revealed four IP addresses associated with the malicious activities in a Twitter thread. This disclosure aimed to shed light on the scope and nature of the threat.

Furthermore, the situation took a more ominous turn with the release of a proof-of-concept (PoC) exploit and detailed technical information about the vulnerability by researchers at Rapid7. This release could potentially alter the landscape of these exploits, presenting new challenges and risks for organizations.

Rapid7‘s analysts detailed how attackers could bypass existing security measures on the Atlassian Confluence product. They also provided information on using cURL commands to send crafted HTTP requests to vulnerable endpoints, thereby creating new administrator accounts with passwords known to the attacker. The detailed write-up additionally included a method to ensure that other users wouldn’t receive notifications about the completion of the setup, making the compromise stealthier.

Storm-0062, the group responsible for the exploit, has affiliations with China’s Ministry of State Security. Their track record includes targeting a wide range of sectors, including software, engineering, medical research, government institutions, defense agencies, and technology firms. Their operations have spanned across the United States, the United Kingdom, Australia, and several European countries.

This is not the first time Storm-0062 has attracted international attention. In July 2020, the United States charged Chinese hackers, presumably from the same group, for stealing vast amounts of data through breaches in government organizations and companies on a global scale.

About the Fix and Threat Detection

In response to the identified security risks, Atlassian acted swiftly by making security updates available in early October. This allowed users a window of time to respond to the situation before the public release of the PoC exploit.

Users are advised to upgrade to specific fixed versions of Atlassian Confluence to mitigate these risks. The recommended versions are:

  • 8.3.3 or later,
  • 8.4.3 or later,
  • 8.5.2 (Long-Term Support release).

Users of Confluence Data Center and Server versions before 8.0.0 are not impacted and need not take any action.

Notably, Atlassian-hosted instances at atlassian.net domains are not vulnerable to these attacks, providing some level of assurance to certain users.

For more comprehensive details, including indicators of compromise and upgrade instructions, users can refer to Atlassian’s security bulletin.

Atlassian recommends that organizations work closely with their security teams to assess their Confluence instances for any evidence of compromise. Key indicators include:

  • unexpected members of the confluence-administrators group
  • unexpected newly created user accounts
  • requests to /setup/*.action in network access logs
  • presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory

If any evidence is discovered, immediate action is recommended, as compromised instances grant attackers full administrative access and the ability to undertake malicious activities.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.