CISA and FBI to Network Admins: Patch Atlassian Confluence Now
Federal security agencies are urging network administrators to immediately patch Atlassian Confluence servers to protect against a critical security flaw that is being exploited by cybercriminals.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Multi-State Information Sharing and Analysis Center (MS-ISAC) this week issued an advisory saying that the vulnerability – tracked as CVE-2023-22515 – is being abused by threat actors to gain initial access to Confluence instances by creating unauthorized administrator accounts.
The warning comes two weeks after Atlassian released security updates to address the threat and less than a week after Microsoft’s Threat Intelligence unit said a state-sponsored Chinese advanced persistent threat (APT) group called Storm-0062 (also known as DarkShadow or Oro0lxy) is behind a series of ongoing attacks exploiting the highly critical flaw that date back to September 14.
The federal agencies are not only pushing organizations to patch the flaw, but also encouraging them look for signs of malicious activities on their networks by using the detection signatures and indications of compromise (IOCs) they have listed in the advisory.
The Need to Update
Atlassian’s Confluence Server lets organizations to host the team workspace tool on its own servers. Confluence Data Center can be run in a cluster or a standalone installation in an enterprise’s own data center. According to Atlassian, CVE-2023-22515 – to which the company has given a severity score of 10 – affects Confluence Data Center and Server versions 8.0 and up, and organizations with those products should move to the fixed versions 8.3.3, 8.4.3, and 8.5.2 (the Long Term Support release) and later.
Those companies with the vulnerable products that are accessible to the internet should restrict external network access until they can upgrade.
Only the on-premises instances of the products are vulnerable, the vendor said. Atlassian Cloud sites are not impacted by the bug.
In its October 4 notice, Atlassian said that it was “made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.”
According to an analysis by cybersecurity firm Rapid7, “this vulnerability is remotely exploitable by an unauthenticated attacker, and can be leveraged to create a new administrator account on the target Confluence server. This can lead to a total loss of integrity and confidentiality of the data held in the server.”
The vendor added that “since the root cause of the vulnerability allows an attacker to modify critical configuration settings, an attacker may not be limited to creating a new administrator – there may be further avenues of exploitation available.”
The risks raised by the Confluence flaw may not disappear anytime soon. Malwarebytes researchers wrote that although the bug began life as a zero-day vulnerability used by nation-state hackers, “it will likely take on a second life in the hands of less sophisticated criminals.”
The ‘Patch Gap’
“We are now in the ‘patch gap,’ the period of time between a patch being available and it being applied,” they wrote. “This creates a window of opportunity for mass exploitation, which could last months or even years. The arrival of a patch allows organizations to fix their systems, it also informs a wider group of criminals about the existence of the vulnerability.”
Cybercriminals can use this time to reverse engineer the patch to identify the problem and then create their own code to exploit it or wait for others to do it for them, according to Malwarebytes.
“Proof-of-concept exploits for CVE-2023-22515 have already appeared on GitHub so there is no time to lose,” they wrote. “How long the patch gap lasts is entirely down to how quickly organizations update their Confluence software.”
The group named by Microsoft as exploiting the Confluence flaw is known for breaking into both private and public networks. The Justice Department in 2020 indicted two Chinese nationals linked to the group for a decade of hacking into systems of government agencies, private companies, and dissidents and stealing terabytes of data.
Their victims included companies, such as Moderna, developing COVID-19 vaccines and treatments.
