Atlassian Confluence vulnerability exploited in active hacks by nation state groups

published: Oct. 11, 2023

Take action: If you haven't been sufficiently motivated to patch your Confluence Server/Datacenter, we hope this particular report gives you the extra needed push. Implement mitigation reconfiguration or block the server from internet access immediately. Then start patching and checking for surprise admins already created.

Learn More

Microsoft's researchers have identified that a known nation-state threat actor is exploiting a zero-day vulnerability in Atlassian’s Confluence Data Center and Server products. The malicious activity started on September 14, 2023, three weeks before Atlassian publicly disclosed the issue. The threat actor in question is called Storm-0062, also known by other names such as DarkShadow or Oro0lxy. There are indications that Storm-0062 has ties to China’s Ministry of State Security, a state intelligence agency.

The vulnerability, labeled as CVE-2023-22515, is a critical privilege escalation issue. Devices connected to the vulnerable application can exploit this flaw to create an unauthorized Confluence administrator account. It is particularly dangerous for instances on the public internet as they can be exploited anonymously. If a system is already compromised, simply upgrading will not eliminate the threat.

Atlassian has urged businesses to inspect affected Confluence instances for signs of compromise, such as unexpected members in the administrator group, new user accounts, and specific requests in network access logs. If a compromise is detected, it is advised to disconnect the affected server from the network immediately. Atlassian has provided patches for this vulnerability in versions 8.3.3, 8.4.3, 8.5.2, or later.

Atlassian Confluence vulnerability exploited in active hacks by nation state groups