Microsoft has reported that Chinese state-backed hackers are utilizing a zero-day vulnerability rated as “critical” within Atlassian software in order to infiltrate customer systems.
The tech company’s threat intelligence team announced on the platform formerly known as Twitter, X, that they have detected a nation-state threat actor they’ve dubbed Storm-0062 exploiting a recently revealed critical security flaw within Atlassian Confluence Data Center and Server. Microsoft had previously attributed Storm-0062 to being a hacker group backed by the Chinese government.
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
Advertising - Continue to Read BelowAdvertising - Continue to Read Below— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023Advertising - Continue to Read Below
Microsoft reported that it has observed active exploitation of a critical vulnerability with a maximum rating of 10.0, identified as CVE-2023-22515, in the wild since September 14.
Microsoft, However, This was approximately three weeks before Atlassian’s public disclosure on October 4. A vulnerability is classified as a zero-day when the vendor, in this case, Atlassian, has no time to address the issue before it is exploited.
Critical Security Advisory and Response from Atlassian
Atlassian recently updated its advisory, confirming that there is “evidence to suggest that a known nation-state actor” is taking advantage of this vulnerability. According to the company, this flaw could potentially enable a remote attacker to create unauthorized administrator accounts for gaining access to Confluence servers.
Confluence, developed by Atlassian, is a widely used collaborative wiki system employed by businesses worldwide for organizing and sharing work.
However, she mentioned that the company is collaborating closely with Microsoft on this matter. Atlassian has not disclosed information regarding the number of its customers affected by this vulnerability or any evidence of data theft resulting from it.
Atlassian’s advisory reports that the company has received notifications from a “small number of customers” at this point. The extent of customer exploitation remains uncertain. When questioned about whether Atlassian has been able to determine if any customer environments were compromised, the spokesperson declined to provide a response.
The spokesperson says, “Our top priority is ensuring the security of our customers’ instances in light of this critical vulnerability. We are actively collaborating with industry-leading threat intelligence partners, including Microsoft, to gather additional information that can assist customers in addressing the vulnerability. This investigation is ongoing, and we encourage customers to share any evidence of compromise to support these efforts.”
Atlassian specifies that the vulnerability exclusively affects on-premises instances of Confluence Data Center and Confluence Server. The company has issued a patch for this flaw and strongly advises users to promptly upgrade their systems.
Conclusion
In a concerning development, Microsoft has disclosed the exploitation of a “critical” zero-day vulnerability by Chinese state-backed hackers within Atlassian software. Atlassian has confirmed the breach, urging immediate action. As the investigation continues, collaboration with Microsoft is underway, highlighting customer security amidst this critical threat to Confluence servers.
