Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Patch Management

Chinese APT Group Exploiting Atlassian Zero-Day

Microsoft Says Campaign Exploiting Escalation Flaw Began in September
Chinese APT Group Exploiting Atlassian Zero-Day
Image: Shutterstock

A Chinese nation state hacking group is exploiting a zero-day flaw in Atlassian's Confluence Data Center and Server products as part a campaign first spotted in mid-September, Microsoft researchers say.

In an alert on Tuesday, Microsoft Threat Intelligence attributes the campaign to a Chinese nation-state hacking group the computing giant designates Storm-0062. The group is also known as DarkShadow and Oro0lxy.

The warning says the hackers use the now-patched flaw, tracked as CVE-2023-22515, to create Confluence administrator accounts. The flaw has a CVSS score of 10 out of 10.

Atlassian earlier this month acknowledged that a "handful of customers" have been targeted in the hack using the zero-day (see: Attackers Exploiting Atlassian Confluence Software Zero-Day).

"Atlassian Cloud sites are not affected by this vulnerability," the company said at the time, adding that its cloud versions prior to 8.0.0 accessible via the domain have not been impacted.

Atlassian attributed the hack to a nation-state group but did not disclose further details.

Details of Storm-0062 are sparse. The computing giant said the hacking group's attacks against Atlassian began on Sept. 14, with the researchers tracking down at least four malicious domains tied to the campaign.

More than one cybersecurity company has noted mounting sophistication of Chinese hackers, a development both Microsoft and CrowdStrike attribute to a law requiring mandatory disclosure of vulnerability reports to Beijing. The disclosure requirement "is effectively crowdsourcing vulnerability research in China," CrowdStrike Vice President Adam Meyers told Information Security Media Group earlier this year (see: Chinese State Hackers Level Up Their Abilities: CrowdStrike).

Atlassian did not immediately respond to a request for a comment. "Atlassian cannot confirm if your instances have been affected by this vulnerability," the company said in its initial update.

Although it added evidence of compromise include addition of new Confluence administrators, creation of new accounts within the application, and the request for network access from external sources.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.