US cybercops urge admins to patch amid ongoing Confluence chaos

US authorities have issued an urgent plea to network admins to patch the critical vulnerability in Atlassian Confluence Data Center and Server amid ongoing nation-state exploitation.

The joint cybersecurity advisory from CISA, FBI, and Multi-State Information Sharing and Analysis Center (MS-ISAC) comes after the October 4 disclosure of CVE-2023-22515, which was assigned a CVSS score of 10 by Atlassian.

Given that the potential consequences of a successful exploit could lead attackers to create new admin accounts for themselves, and the sophistication of the attackers already attempting exploits, the organizations expressed a strong degree of immediacy in their update.

CISA, FBI, and MS-ISAC also believe the capabilities of attackers that successfully exploit the zero-day vulnerability aren't limited to account creation. Their ability to modify configuration files – the precursor to account creation – indicates that other tasks may be possible to carry out too.

"On October 5, 2023, CISA added this vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation," the advisory reads.

"Due to the ease of exploitation, CISA, FBI, and MS-ISAC expect to see widespread exploitation of unpatched Confluence instances in government and private networks."

In addition to "immediately" applying patches, the organizations recommend proactively hunting for intrusions or malicious activity on the network since attackers aren't booted out just by updating alone.

If an instance is already compromised, the network admin must not only update to one of the secure versions, but also manually determine whether any admin accounts have been created by those with malicious intent, removing them and any other damage they might have caused.

The versions that are protected from the zero-day vulnerability are:

• All versions prior to and not including 8.0.0
• 8.3.3 or later
• 8.4.3 or later
• 8.5.2 (Long Term Support release) or later

"Organizations are encouraged to review all affected Confluence instances for evidence of compromise, as outlined by Atlassian," the advisory reads.

"If compromise is suspected or detected, organizations should assume that threat actors hold full administrative access and can perform any number of unfettered actions – these include but are not limited to exfiltration of content and system credentials, as well as installation of malicious plugins."

Ongoing exploits

Microsoft confirmed on October 10 that nation-state attackers had already begun exploitation attempts against CVE-2023-22515.

• We're not in e-Kansas anymore: State courts reel from 'unauthorized incursion'
• BLOODALCHEMY provides backdoor to southeast Asian nations' secrets
• Thwarted ransomware raid targeting WS_FTP servers demanded just 0.018 BTC
• IT networks under attack via critical Confluence zero-day. Patch now

"Microsoft has observed nation-state threat actor Storm-0062 exploiting CVE-2023-22515 in the wild since September 14, 2023. CVE-2023-22515 was disclosed on October 4, 2023. Storm-0062 is tracked by others as DarkShadow or Oro0lxy," it said in a post on X.

Storm-0062 is the name Microsoft uses under its current taxonomy to track a specific Chinese state-backed offensive group, formerly known as DEV-0062.

The Register asked Atlassian about how many Confluence instances remain unpatched but it did not answer specific questions on the matter.

A spokesperson offered a general statement: "The mitigations listed in our advisory are an interim measure for customers that cannot immediately upgrade their instance or take their instance off the internet until they can upgrade.

"Our priority is the security of our customers' instances during this Critical vulnerability. This is an ongoing investigation, and we encourage customers to share evidence of compromise to support these efforts."

GreyNoise's data on attempted exploits of CVE-2023-22515 indicates that the number of unique IPs trying to exploit the vulnerability is low, but the numbers are consistent with the known IPs disclosed by Microsoft.

Exploit attempts peaked two days after proof of concept (PoC) code was made public on October 10, according to GreyNoise.

Whenever PoC code is released, the likelihood of successful exploitation increases markedly.

"While there are immediate concerns such as increased risk of exploitation and the potential integration into malware toolkits, the availability of a proof-of-concept presents an array of security and operational challenges that extend beyond these immediate issues. Immediate action is strongly advised to address the potential risks associated with this development," said CISA, FBI, and MS-ISAC.

As of October 10, Microsoft was aware of four IPs sending exploit traffic and the FBI's investigation revealed a further five. Together this amounts to roughly the same total of 11 that GreyNoise has logged.

For those who are unable to apply the patches immediately, Atlassian recommends admins apply the limited mitigations in its advisory.

"Note: These mitigation actions are limited and not a replacement for upgrading your instance; you must upgrade as soon as possible," it said. ®