Microsoft Identifies China-Based State-Sponsored Hacker Group Storm-0062 as Exploiters of CVE-2023-22515
In a recent post on X, formerly Twitter, Microsoft’s threat intelligence team announced that it has observed a nation-state threat actor, tracked as Storm-0062 or DarkShadow/Oro0lxy, exploiting a critical zero-day vulnerability in Atlassian Confluence Data Center and Server. The vulnerability, CVE-2023-22515, was rated 10.0 out of 10.0, indicating its severity.
Background on Zero-Day Vulnerabilities
A zero-day vulnerability occurs when a vendor has zero time to fix the bug before it is exploited by attackers. In this case, Microsoft observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023, three weeks before Atlassian’s public disclosure on October 4, 2023.
Atlassian’s Response to the Vulnerability
Atlassian updated its advisory this week to confirm that it has evidence suggesting a known nation-state actor is exploiting the bug. The company’s Confluence is a widely used collaborative wiki system employed by corporations worldwide to organize and share work. When asked about their findings, Atlassian spokesperson Ana Keltchina declined to state whether the company’s own investigations linked this exploitation to China but confirmed that they are working closely with Microsoft on this matter.
Vulnerability Details
The vulnerability impacts only on-premises instances of Confluence Data Center and Confluence Server. It allows a remote attacker to create unauthorized administrator accounts, enabling access to Confluence servers. Atlassian has released a patch for the flaw and is urging users to upgrade as soon as possible.
Microsoft’s Observations and Response
Microsoft observed in-the-wild abuse of CVE-2023-22515 since September 14, some three weeks before Atlassian’s public disclosure on October 4. The technology giant has previously identified Storm-0062 as a China-based state-sponsored hacker group. Microsoft’s threat intelligence team is working closely with Atlassian to gather more information and assist customers in responding to the vulnerability.
Customer Impact
Atlassian declined to comment on how many of their customers had been compromised due to this vulnerability or whether they had seen any evidence of data theft. The company has so far received reports from a "handful of customers," but it’s unclear if they yet know the scale of customer exploitation.
Conclusion
The exploitation of CVE-2023-22515 by nation-state threat actor Storm-0062 highlights the importance of timely vulnerability disclosure and patching. Microsoft’s prompt identification and public disclosure of this critical zero-day vulnerability are crucial steps in mitigating its impact on customers. As the cybersecurity landscape continues to evolve, it is essential for organizations to remain vigilant and proactive in addressing emerging threats.
Related Topics
Further Reading
For more information on this topic, please refer to the following articles:
- "US Sanctions Chinese Cyber Firm Linked to Flax Typhoon Hacks" by Carly Page
- "Online Gift Card Store Exposed Hundreds of Thousands of People’s Identity Documents" by Zack Whittaker
Contact Us
If you have any questions or concerns regarding this article, please do not hesitate to contact us at carly.page@techcrunch.com or +441536 853956 (Signal).
