Urgent: Patch Atlassian Confluence Now – CISA & FBI Advisory
CISA, FBI, and MS-ISAC are strongly advising network administrators to promptly apply patches to their Atlassian Confluence servers to protect against the active exploitation of a critical security vulnerability.
Identified as CVE-2023-22515, this critical flaw impacts specific versions of Atlassian Confluence Data Center and Server, allowing malicious actors to gain initial access to Confluence instances by creating unauthorized Confluence administrator accounts.
Atlassian Confluence Exploited as Zero-day
On October 4, Atlassian released security updates and urged users to immediately upgrade their Confluence instances to one of the patched versions (8.3.3 or later, 8.4.3 or later, or 8.5.2 or later). The urgency of this advice stems from the fact that the vulnerability was already being actively exploited “in the wild” as a zero-day.
Threat actors exploited CVE-2023-22515 as a zero-day, thereby gaining access to victim systems and persistently exploiting them even after patches were made available. Atlassian has classified this vulnerability as critical, and CISA, FBI, and MS-ISAC anticipate continued and widespread exploitation due to its ease of use.
For those unable to immediately upgrade, the guidance recommended shutting down affected instances or isolating them from internet access. Furthermore, network administrators were encouraged to conduct thorough checks for indicators of compromise, including the identification of new or suspicious administrative user accounts.
One week after CISA added this vulnerability to its list of known exploited vulnerabilities, Microsoft disclosed that a Chinese-backed threat group, known as Storm-0062 (also recognized as DarkShadow or Oro0lxy), had been exploiting this flaw as a zero-day since at least September 14, 2023.
This warning comes within two weeks of Atlassian releasing security updates to address the threat and less than a week after Microsoft’s Threat Intelligence unit identified a state-sponsored Chinese advanced persistent threat (APT) group named Storm-0062 (also known as DarkShadow or Oro0lxy) as the source behind a series of ongoing attacks that have been exploiting this highly critical flaw since as early as September 14.
Federal agencies are not only urging organizations to patch Atlassian Confluence but are also encouraging them to proactively seek out signs of malicious activities on their networks. They are providing guidance on how to detect these activities by utilizing the detection signatures and indicators of compromise (IOCs) listed in the advisory.
The sources for this article include a story from Security Boulevard.