State-linked hacker group continuously leveraging recently disclosed weakness in Atlassian's Confluence software
In a concerning development for the cybersecurity community, a state-linked hacking group known as Storm-0062 has been identified as the perpetrator of a global hacking campaign. This group, linked to espionage campaigns, has been exploiting a critical zero-day vulnerability in Atlassian Confluence Data Center and Server, identified as CVE-2023-22515.
The vulnerability, which affects Confluence versions 8.0 and later, allows unauthenticated attackers remote code execution and breach of system security controls. This extensive campaign, targeting high-value corporate and government networks worldwide, has been observed since September.
Storm-0062's hacking activities are state-sponsored, indicating government backing and resources. The group has been conducting wide-ranging attacks, exploiting the broken access control flaw in Confluence servers to gain unauthorized access and execute remote code, enabling espionage, data theft, and persistent intrusion.
Atlassian, the company behind Confluence, has prioritised the security of its customers' instances. They have released patches and advise upgrading to fixed versions starting from 8.3.3 or later. Network-layer restrictions, such as blocking /setup/* endpoints, can also help mitigate exposure.
The severity of CVE-2023-22515 is critical, given Confluence's popularity in enterprises for collaboration and document management. The potential for widespread damage is significant, making the Storm-0062 campaign a significant cybersecurity threat.
While no specific public details reveal Storm-0062’s exact country affiliation, their designation as state-linked indicates government origin or support. The ongoing global hacking efforts underscore the urgency for organisations to patch vulnerable Confluence instances promptly and monitor for related indicators of compromise.
Organisations using vulnerable Confluence applications are advised to immediately upgrade to a fixed version and disconnect from the public-facing internet until the upgrades are completed. Microsoft researchers have observed this exploitation since September 14, and the FBI declined to comment on the global hacking campaign.
It's important to note that the global hacking campaign is not directly connected to the exploitation of the Atlassian Confluence vulnerability by Storm-0062. However, the hackers in the global campaign have been observed searching for vulnerabilities in companies developing Covid-19 vaccines.
The Department of Justice announced charges against an alleged hacker named Li Xiaoyu, who operated online under the name Oro0lxy, in 2020. This threat actor, also known as DarkShadow or Oro0lxy, is linked to the global hacking campaign.
The global hacking campaign has targeted companies in the U.S., Japan, and across Europe for over a decade. The industries targeted include manufacturing, pharmaceuticals, civil and industrial engineering, and gaming. The hackers in the global campaign have allegedly extorted cryptocurrency from one victim by threatening to release stolen source code.
Researchers at Rapid7 and Imperva have confirmed the root cause of the vulnerability and seen at least 350,000 exploitation attempts since Atlassian first issued warnings about the vulnerability. These attacks have mainly targeted computing and financial services firms in the U.S., primarily originating from IP addresses in the U.S. and Germany.
Atlassian warned customers about the vulnerability on October 4. The company is collaborating with Microsoft and other experts to mitigate the situation. Microsoft had nothing more to add beyond the initial warnings posted about the global hacking campaign.
In conclusion, the ongoing global hacking campaign, led by Storm-0062, poses a significant threat to the security of high-value corporate and government networks worldwide. Organisations using vulnerable Confluence applications are urged to take immediate action to protect their systems and data.
- Threat intelligence gathered by cybersecurity experts warns of the significant cybersecurity threat posed by the ongoing global hacking campaign, perpetrated by Storm-0062, due to their exploitation of a critical zero-day vulnerability in Atlassian Confluence, namely CVE-2023-22515.
- To counteract this threat, it is crucial for organizations using vulnerable Confluence applications to immediately upgrade to a fixed version, keep up with threat intelligence on Storm-0062, and implement technology solutions that effectively mitigate potential attacks, such as network-layer restrictions like blocking /setup/* endpoints.
