A Chinese state-backed hacking group called Storm-0062 has been exploiting a critical privilege escalation zero-day bug in the Atlassian Confluence Data Center and Server since September 14, 2023, BleepingComputer reported.
What is a zero-day exploit? A zero-day exploit is a way to attack a computer system that the software company that made the system doesn’t know about yet. This means that there is no patch or update to fix the vulnerability, and attackers can use it to take control of systems.
What is Atlassian Confluence? Atlassian Confluence is a software program that businesses use to share and collaborate on documents and projects. It is a popular tool, and many large companies use it.
Microsoft Threat Intelligence analysts revealed more information about Storm-0062’s involvement and shared four offending IP addresses on Twitter.
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023
Atlassian has released a patch to fix the zero-day exploit, so businesses should update their Confluence servers as soon as possible. Businesses should also monitor their Confluence servers for suspicious activity and implement other security measures to protect themselves from attacks.
Users of Atlassian Confluence Data Center and Server are urged to upgrade to one of the following fixed releases:
- 8.3.3 or later
- 8.4.3 or later
- 8.5.2 (Long-Term Support release) or later
Here is a timeline of the events and help us to understand the situation.
- September 14, 2023: Storm-0062 begins exploiting the zero-day exploit in Atlassian Confluence.
- October 4, 2023: Atlassian releases security updates to fix the zero-day exploit, but Storm-0062 continued to exploit the flaw for nearly three weeks.
- October 11, 2023: Rapid7 researchers release a proof-of-concept exploit and full technical details about the vulnerability.
The fact that Storm-0062 was able to exploit the zero-day exploit for nearly three weeks after Atlassian released security updates is a sign of the severity of the vulnerability. Businesses need to upgrade their Confluence servers as soon as possible to protect themselves from attack.