SECRY – Microsoft Warns of Active Nation-State Attacks – On October 11, 2023, Microsoft warned that nation-state hackers are actively exploiting a critical vulnerability in Atlassian Confluence. The vulnerability, tracked as CVE-2023-22515, is a remotely exploitable privilege escalation issue affecting on-prem instances of Confluence Server and Data Center.
Microsoft said that it has observed nation-state actor Storm-0062 (aka DarkShadow or Oro0lxy) exploiting CVE-2023-22515 in the wild since September 14, 2023. Storm-0062 is a known Chinese state-sponsored hacking group that has been linked to a number of high-profile attacks, including the SolarWinds hack and the Microsoft Exchange hack.
Active Exploitation since September 14, 2023
The technology company’s threat intelligence team reported that it has detected active exploitation of the vulnerability in the wild since September 14, 2023.
In a series of posts on X (formerly Twitter), the company stated, “CVE-2023-22515 is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server. Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to establish a Confluence administrator account within the application.”
Atlassian has released a patch for CVE-2023-22515, but Microsoft is urging organizations to upgrade to the latest version of Confluence as soon as possible. Microsoft is also recommending that organizations implement additional security measures, such as enabling multi-factor authentication and using strong passwords.
Vulnerable Version of CVE-2023-22515
CVE-2023-22515, with a CVSS severity rating of 10.0, enables remote attackers to establish unauthorized Confluence administrator accounts and gain access to Confluence servers. The vulnerability has been resolved in the subsequent versions:
- Version 8.3.3 and later
- Version 8.4.3 and later
- Version 8.5.2 (Long Term Support release) and later
While the precise extent of the attacks remains unclear, Atlassian indicated that it was alerted to the issue by “a small number of customers,” suggesting that it had been exploited as a zero-day by the threat actor.
Here is a more detailed explanation of the CVE-2023-22515 vulnerability
CVE-2023-22515 is a privilege escalation vulnerability that allows attackers to gain elevated privileges on Atlassian Confluence servers. The vulnerability is caused by a flaw in the way that Confluence handles certain types of requests.
To exploit the vulnerability, an attacker would need to send a specially crafted request to a Confluence server. If the request is successful, the attacker would be able to gain elevated privileges on the server. This would allow the attacker to install malware, steal data, or disrupt operations.
Here are some tips for mitigating the risk of CVE-2023-22515 attacks:
- Upgrade to the latest version of Confluence. Atlassian has released a patch for CVE-2023-22515, so it is important to upgrade to the latest version of Confluence as soon as possible.
- Enable multi-factor authentication (MFA). MFA adds an extra layer of security to your Confluence account by requiring you to enter a code from your phone in addition to your password when logging in.
- Use strong passwords. Use strong, unique passwords for all of your Confluence accounts. Avoid using easily guessable passwords, such as your name, birthday, or common words.
- Monitor your Confluence servers for suspicious activity. Monitor your Confluence servers for any suspicious activity, such as unusual login attempts or changes to files or settings.
By following these tips, you can help to protect your Confluence servers from CVE-2023-22515 attacks and other security threats.
Microsoft has also released a guidance document for organizations that are affected by the CVE-2023-22515 vulnerability. The guidance document provides information on how to detect if your Confluence server has been exploited, how to remediate the vulnerability, and how to mitigate the risk of future attacks.
The guidance document can be found at the following link:
Microsoft Security Guidance on CVE-2023-22515: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-28222