Microsoft: Chinese APT Behind Atlassian Confluence Attacks; PoCs Appear

Organizations should brace for mass exploitation of CVE-2023-22515, an uber-critical security bug that opens the door to crippling supply chain attacks on downstream victims.

Chinese flas with computer circuitry
Source: vectorsector via Shutterstock

A China-sponsored advanced persistent threat (APT) tracked as Storm-0062 is responsible for the in-the-wild exploitation of the recently disclosed critical bug in Atlassian Confluence Server and Confluence Data Center, Microsoft has announced. And it turns out that proof-of-concept exploits are now available for it, portending mass exploitation.

The flaw (CVE-2023-22515) was disclosed last week, with Atlassian acknowledging that it had been exploited as a zero-day in the wild prior to that. The vulnerability was at first labeled a privilege escalation problem, but it's remotely exploitable without authentication and should be seen as more akin to a code-execution tool, according to researchers — an assessment borne out by its 10 out of 10 ranking on the CVSS vulnerability-severity scale.

Accordingly, Atlassian subsequently updated its advisory to label the bug a broken access control issue.

Microsoft this week delivered additional details on the zero-day campaign, which it said has been active since Sept. 14. In a series of tweets, it identified four IP addresses that were observed sending related CVE-2023-22515 exploit traffic; also, it noted that "any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application."

In tandem with that attribution, a former computer science student and "security enthusiast" who goes by the handle s1r1us dropped a proof of concept (PoC) on GitHub; researchers at Rapid7 published a detailed analysis of the vulnerability that could offer plenty of breadcrumbs to PoC developers.

Who Is Beijing-Sponsored Storm-0062?

The Storm-0062 APT is also known as DarkShadow or Oro0lxy, Microsoft pointed out. Both names are aliases for Chinese state hackers Li Xiaoyu and Dong Jiazhi, who were indicted by the US Department of Justice in 2020 for probing for "vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments."

They remain at large, presumably in China, and have a history of state-sponsored hacking in tandem with various associates that goes back to at least 2009.

Microsoft offered no details on the victimology of the latest attacks but noted in its annual Digital Defense Report issued last week that Chinese state-sponsored campaigns typically reflect the Chinese Communist Party's (CCP) dual pursuit of global influence and intelligence collection, and thus cast a wide net.

"Cyber threat groups [in China] continue to carry out sophisticated worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and even China's strategic partners," according to the report. "Some Chinese cyber activity may also indicate possible avenues of response in the event of a future geopolitical crisis."

Atlassian: Open to Software Supply Chain Attack

The stakes are high when it comes to the bug. Confluence collaboration environments can house sensitive data on both internal projects as well as its customers and partners — which means that intruders lurking inside its files can gather all the intel they need to mount follow-on attacks on those third parties.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, notes that this kind of zero-day exploit is "purpose-built to pollute the application, thus allowing these Chinese cyber spies to use Confluence as an attack vector into a myriad of organizations."

He adds, "This represents a systemic supply chain attack. A majority of businesses and government agencies use it, and it can be hijacked to facilitate island hopping."

He also warns that businesses should brace for mass exploitation waves, since there are now public road maps for leveraging this particular vulnerability, and Confluence has a history of being popular with cybercrime types.

China's "People's Liberation Army has a vast cyber-spy network, much of which focuses on arming [the country] with zero-days," Kellermann says. "Initially, this vulnerability required an APT to exploit, but now with the details being disclosed, a mass compromise could be ensuing."

To protect themselves, "organizations with vulnerable Confluence applications should upgrade as soon as possible to a fixed version: 8.3.3, 8.4.3, or 8.5.2 or later," Microsoft advised. "Organizations should isolate vulnerable Confluence applications from the public Internet until they are able to upgrade them."

Kellerman adds that beyond patching, businesses must increase threat hunting for evidence of this specific APT group, and says that deploying runtime security is "imperative to mitigate exploitation or zero-days."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights