Chinese APT Tied to Atlassian Confluence Attacks: Microsoft Exposes the Source

China-Sponsored APT Storm-0062 Responsible for Exploitation of Atlassian Confluence Bug

Recently, Microsoft announced that a China-sponsored advanced persistent threat (APT) known as Storm-0062 has been identified as responsible for the exploitation of a critical bug in Atlassian Confluence Server and Confluence Data Center. The vulnerability, labeled as CVE-2023-22515, was initially disclosed as a privilege escalation problem but is now being seen as a code-execution tool. It has received a severity ranking of 10 out of 10 on the CVSS vulnerability-severity scale.

Proof-of-Concept Exploits and Mass Exploitation

Proof-of-concept exploits for the Atlassian Confluence bug are now available, indicating the potential for mass exploitation. Microsoft has provided additional details on the zero-day campaign, stating that it has been active since September 14. The company identified four IP addresses involved in sending exploit traffic related to CVE-2023-22515. Furthermore, Microsoft highlighted that any device with a network connection to a vulnerable application can exploit the bug to create a Confluence administrator account within the application.

Storm-0062 APT and Chinese State Hackers

The Storm-0062 APT, also known as DarkShadow or Oro0lxy, is sponsored by the Chinese government. Microsoft has identified the individuals responsible for the APT as Li Xiaoyu and Dong Jiazhi, who were indicted by the US Department of Justice in 2020 for targeting companies involved in COVID-19 vaccine development and testing technology. Li Xiaoyu and Dong Jiazhi have a history of state-sponsored hacking dating back to 2009. Microsoft‘s annual Digital Defense Report highlights that Chinese state-sponsored campaigns typically target US defense and critical infrastructure, nations bordering the South China Sea, and China’s strategic partners.

Editorial: The Risk of Software Supply Chain Attacks

The exploitation of the Atlassian Confluence bug by the Storm-0062 APT highlights the risk of software supply chain attacks. Confluence collaboration environments often contain sensitive data on internal projects, customers, and partners. Intruders can leverage this vulnerability to gain unauthorized access to organizations and potentially launch follow-on attacks on third parties.

Tom Kellermann, a senior vice president of cyber strategy at Contrast Security, notes that this zero-day exploit allows the Chinese cyber spies to use Confluence as an attack vector into multiple organizations. Kellermann warns of potential mass exploitation waves, as there are now public road maps available for leveraging this vulnerability. He further emphasizes that Confluence has been popular among cybercriminals in the past.

The People’s Liberation Army of China possesses a vast cyber-spy network, which focuses on acquiring zero-day vulnerabilities. Kellermann argues that while this vulnerability initially required an APT to exploit, the disclosure of details may lead to mass compromises.

Protective Measures and Recommendations

To protect themselves from the Storm-0062 APT and potential exploitation of the Atlassian Confluence bug, organizations should take immediate action. Microsoft advises organizations with vulnerable Confluence applications to upgrade to a fixed version (8.3.3, 8.4.3, or 8.5.2 or later) as soon as possible. Additionally, organizations should isolate vulnerable Confluence applications from the public Internet until they can be upgraded.

Beyond patching, businesses must increase their threat hunting efforts to identify any evidence of the Storm-0062 APT. Deploying runtime security measures is also crucial to mitigating exploitation and zero-day attacks. It is imperative that organizations take these steps to safeguard their systems and sensitive data.

Keywords: Cybersecurity, Chinese APT, Atlassian Confluence, Microsoft