Table of Contents
Nation-State Threat Actor Linked to Confluence Zero-Day Attacks
Microsoft Corporation has recently shed light on the identity of the hackers behind the infamous Confluence zero-day attacks. Following an investigation, it has been revealed that the Advanced Persistent Threat (APT) group, Storm-0062, is responsible. This action has been associated with nation-state cybercrime, as it coincides with several attributes that would suggest so.
Storm-0062 APT Group Identified as the Actors
The Storm-0062 APT group were the identified threat actors, revealing their pattern of operation matches the one spotted in the Confluence attack. Originating from China, the APT group has been hacking into Confluence installations since mid-September, causing a major uproar in the cyber security community as this preceded Atlassian's public disclosure by around three weeks.
Exploited CVE-2023-22515 Before its Public Disclosure
Adding to the concerning nature of these attacks, the APT group reportedly exploited the Common Vulnerability and Exposures entry, CVE-2023-22515, even before this vulnerability had been publicly disclosed. This indicates a high level of sophistication and foresight in their attack strategies. They managed to detect and exploit the Confluence software vulnerability, pouncing before patches could be developed and deployed.
Linked to China’s Ministry of State Security
Further investigations by Microsoft and independent security researchers have indicated ties between the Storm-0062 APT group and China's Ministry of State Security. This remarkable link further supports the theory that these Confluence attacks are a case of nation-state cyber espionage. However, the depth and specifics of the connection have not yet been disclosed, leaving many questions unanswered.
Vulnerability and its Exploitation
Adding to the severity of this incident is the nature of the vulnerability that was exploited and the subsequent chaos ensued. The attackers reportedly used an exploit that allowed for the creation of a Confluence administrator account, essentially gaining easy, unlimited access to sensitive data.
Exploit Allows Creation of a Confluence Administrator Account
The Storm-0062 APT group skillfully exploited a highly-critical vulnerability in Confluence that gave them the ability to create an administrator account. With this access, they could potentially leverage their rights to induce more consequential damages. Atlassian confirmed this loophole as CVE-2023-22515.
Official Advisory from Microsoft to Upgrade Confluence
In response to this growing threat, Microsoft has advised Confluence users to swiftly upgrade their software installations to versions 8.3.3, 8.4.3, or 8.5.2 or the latest version available. This upgrade will ensure that the software is patched and protected from this specific vulnerability that the APT group targeted.
Warning by Atlassian That Upgrading Won’t Remove an Existing Compromise
Atlassian has issued a cautionary note to its users citing that while an upgrade is a crucial step in securing the software, it does not guarantee the removal of any existing compromise. If the attackers have already compromised the system before the upgrade, they could still maintain illegitimate access, despite the software being updated.
Indicators of Compromise as Listed by Atlassian
Atlassian has also listed several indicators of compromise to help its users detect any intrusion. Some identifiable signs include unexplained creation of admin accounts, unexpected system modifications, and unusual network traffic. This step is commendable as it allows users to have a better understanding of the threats they face and to take timely corrective measures.
Response from Atlassian
In the wake of the security compromise attributed to the Storm-0062 APT group, Atlassian has had to take prompt, decisive measures to secure their Confluence software. From releasing urgent patches to advising customers, the company has been on high alert to mitigate damage caused by these cyber-attacks.
Urgent Patch Released and its Announcement
Atlassian took swift action by releasing an urgent patch to fix the vulnerability within the Confluence software. The patch was announced shortly after the company confirmed that a few customers had been hit by exploits capitalizing on the remotely exploitable flaw in Confluence Data Center and Server products.
Advisory for Customers to Immediately Disconnect Compromised Instances
Advising its customers further on stemming the damage, Atlassian recommended that customers immediately disconnect compromised instances from their network. This move is to prevent lateral movement, whereby the hackers might spread from the compromised Confluence server to other systems on the network.
Known History of Atlassian Software Being Targeted by Cybercriminals and State-Sponsored Actors
This is not the first time Atlassian software has found itself in the crosshairs of cybercriminals and state-sponsored actors. The popularity and widespread use of Atlassian's products such as Jira and Confluence make them lucrative targets for hackers looking to gain unauthorized access to sensitive information.
Other Related Security News
Amidst the worry heightened by the Confluence zero-day attacks, the cybersecurity world is battling numerous other significant threats. From new vulnerabilities in widely used software to an increase in politically-motivated cyberattacks, the landscape is remarkably active.
Vulnerability in cURL Posing Risk to Enterprise Systems
A new 'Probably Worst' vulnerability in cURL, a software used to transfer data, is posing a potential significant risk to enterprise systems. Safety patches for this issue are currently being prepared to help secure affected systems against misuse.
Largest DDoS Attacks in History Using 'HTTP/2 Rapid Reset' Zero-Day
Simultaneously, the cybersecurity community has observed the largest DDoS attacks in history; these were launched using an exploited 'HTTP/2 Rapid Reset' zero-day. Hackers have been able to cripple systems with an overwhelming flood of traffic like never before.
Rise in Cyberattacks Amid Israel-Hamas War
The current political situation appears to be influencing the cybersecurity landscape as well. The Israel-Hamas War has seen a rise in disruptive cyberattacks, showing that conflicts may likely extend to the digital realm along with their physical counterparts.
Recent Cyber Vulnerabilities of TagDiv Plugin, Gnome, and Adobe Acrobat
Recent cyber vulnerabilities have been recorded in a number of widely-used services, including the TagDiv Plugin used in WordPress sites, GNOME in Linux Systems, and Adobe Acrobat. These vulnerabilities have allowed hackers to compromise systems and have put data security at major risk.
