Microsoft says Chinese state-backed hackers are exploiting a “critical”-rated zero-day vulnerability in Atlassian software to break into customer systems.
The technology giant’s threat intelligence team said in a post on X, formerly Twitter, that it has observed a nation-state threat actor it calls Storm-0062 exploiting a recently disclosed critical flaw in Atlassian Confluence Data Center and Server. Microsoft has previously identified Storm-0062 as a China-based state-sponsored hacker.
Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy.
— Microsoft Threat Intelligence (@MsftSecIntel) October 10, 2023
Microsoft said it observed in-the-wild abuse of the maximum rated 10.0 vulnerability, tracked as CVE-2023-22515, since September 14, some three weeks before Atlassian’s public disclosure on October 4. A bug is considered a zero-day when the vendor — in this case Atlassian — has zero time to fix the bug before it is exploited.
Atlassian updated its advisory this week to confirm it has “evidence to suggest that a known nation-state actor” is exploiting the bug, which the company says could allow a remote attacker to create unauthorized administrator accounts to access Confluence servers.
Atlassian’s Confluence is a widely popular collaborative wiki system used by corporations around the world to organize and share work.
When asked by TechCrunch, Atlassian spokesperson Ana Keltchina declined to say whether the company’s own findings link this exploitation to China, but said the company is “working very closely with Microsoft on this.” Atlassian declined to comment on how many of the company’s customers had been compromised as a result of this vulnerability, or whether the company had seen any evidence of data theft.
Atlassian’s advisory states that the company has so far received reports from a “handful of customers.” It’s not clear if the company yet knows the scale of customer exploitation. When asked whether Atlassian was able to determine whether a customer environment has been compromised, the spokesperson declined to comment.
“Our priority is the security of our customers’ instances during this critical vulnerability, and we are collaborating with industry-leading threat intelligence partners, such as Microsoft, to obtain additional information that may assist customers with responding to the vulnerability,” the spokesperson said. “This is an ongoing investigation, and we encourage customers to share evidence of compromise to support these efforts.”
Atlassian, which notes that the vulnerability impacts only on-premises instances of Confluence Data Center and Confluence Server, has released a patch for the flaw, and is urging users to upgrade as soon as possible.
Microsoft won’t say if its products were exploited by spyware zero-days
Comment