Nation-State Threat Actor Storm-0062 Exploiting Confluence Zero-Day Vulnerability — Microsoft’s Detection and Atlassian’s Response

Microsoft recently made a troubling discovery when it detected the presence of the nation-state threat actor Storm-0062, also known as DarkShadow or Oro0lxy, actively exploiting a significant vulnerability called CVE-2023-22515 in the wild. This alarming development has raised serious concerns within the cybersecurity community since the attacks have been ongoing since September 14, 2023. In this article, we will delve into the details of this exploit and shed light on Atlassian’s response to ensure the safety of Confluence Data Center and Server instances.

Description of vulnerability

The vulnerability in question, CVE-2023-22515, has gained significant attention as it was publicly disclosed on October 4, 2023. This particular vulnerability is a Confluence zero-day, meaning that it was previously unknown and has not yet been patched by its developers. Atlassian, the company behind Confluence, has launched an investigation following reports from a few customers who have experienced potential exploitation. The vulnerability allows unauthorized access to publicly accessible Confluence Data Center and Server instances, enabling the creation of unapproved administrator accounts.

Active exploitation reports

Reports from Netlas, a well-known cybersecurity firm, have revealed that the vulnerability has been actively exploited in real-world scenarios. This information highlights the urgency of the situation and the critical need to address the Confluence zero-day vulnerability promptly. Further examination of the exploit traffic has led to the identification of four IP addresses linked to the transmission of the malicious code.

1. 192.69.90.31
2. 23.105.208.154
3. 199.193.127.231

Severity of vulnerability

Atlassian has classified the CVE-2023-22515 vulnerability as critical, indicating its potential for significant harm and widespread damage. The severity of the vulnerability is emphasized by its Common Vulnerability Scoring System (CVSS) score of 10, which is the highest possible score based on Atlassian’s severity levels. This rating underscores the urgent need for users to take immediate action to protect their systems and prevent unauthorized access.

To ensure users are informed and able to safeguard their Confluence installations, it is crucial to understand which versions are affected by the CVE-2023-22515 vulnerability. The following versions of Confluence Data Center and Confluence Server are known to be vulnerable to exploitation:

– Confluence Data Center: 8.0.0, 8.5.0, 8.5.1
– Confluence Server: 8.0.0, 8.5.0, 8.5.1

Thankfully, Atlassian has acted swiftly to address this security concern. The company has released updates and patches to fix the CVE-2023-22515 vulnerability. Users are advised to update their Confluence installations to the following fixed versions:

– Confluence Data Center: 8.3.3 or later, or 8.5.2 (Long-Term Support release) or later.
– Confluence Server: 8.3.3 or later, or 8.5.2 (Long-Term Support release) or later.

Confirmation of issue reproduction

The seriousness of the vulnerability has been further validated by the PT Swarm team, who successfully managed to reproduce the issue. This confirmation underscores the critical nature of the exploit and calls for immediate action from Confluence users to safeguard their systems.

The nation-state threat actor Storm-0062, also known as DarkShadow or Oro0lxy, exploits the Confluence zero-day vulnerability CVE-2023-22515, which has raised significant concerns within the cybersecurity community. Microsoft’s detection of ongoing attacks highlights the urgent need to promptly address this vulnerability. Atlassian, the developer of Confluence, has responded to the situation by investigating the potential exploitation and urging users to update their installations to the fixed versions. It is essential for users to stay vigilant, apply necessary updates, and follow best practices to mitigate the risks associated with this exploit. By doing so, we can safeguard our systems and protect against unauthorized access and potential harm.

Explore more