A joint Advisory warns of a software supply chain risk, urges patching, and advises organizations on what to do should defenses fail.
Warning on Atlassian software supply chain risk.
Yesterday the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint Cybersecurity Advisory (CSA) on the active exploitation of CVE-2023-22515, a vulnerability in Atlassian Confluence Data Center and Server, a widely used collaboration platform.
Risk of data extraction.
Exploitation enables a malicious actor to create unauthorized Confluence administrator accounts, with the attendant possibility of data exfiltration. The Advisory recommends immediately upgrading to a patched version of the vulnerable product. Organizations detecting exploitation of CVE-2023-22515 should, in addition to collecting relevant artifacts and reporting the compromise to responsbile authorities:
- "Quarantine and take offline potentially affected hosts."
- "Provision new account credentials," and
- "Reimage compromised hosts."
The Advisory doesn't offer attribution of the ongoing exploitation, but researchers credibly point to China's Ministry of State Security as the probable responsible threat actor.
Industry sources concur on the importance of patching.
Lorri Janssen-Anessi, Director, External Cyber Assessments at BlueVoyant, thinks the alert should bring organizations to a new appreciation of the challenges of building resilience. "This new Atlassian vulnerability highlights the need to be aware of the vendors and suppliers you are relying on for business continuity," Janssen-Anessi wrote in emailed comments. "When vulnerabilities like this are announced, you should limit use of affected systems and patch as soon as a patch becomes available. In this case, unfortunately it is reported that attackers started using the vulnerability before a patch was available. In cases like this, the best action is to isolate the affected system and then patch as soon as a patch is available. You should also work with your vendors and suppliers to make sure they do the same. Even if your systems are isolated or patched, a third party with network access could be compromised and affect you."
And the vulnerability addressed in the Advisory is a supply-chain issue. "When widely-used software, such as Atlassian, is vulnerable, it can lead to supply chain attacks. Organizations now can have hundreds to thousands of suppliers, vendors, and other third parties with network access. These make up their digital supply chain. If one of those suppliers is compromised, the attackers can gain access to organizations they are connected to." In spite of warnings, many organizations continue to be laggard with respect to patching. "Last year, Atlassian also announced another vulnerability. For that vulnerability, according to BlueVoyant’s threat intelligence, only 30% of affected organizations patched within the first 10 days. Afterwards, the patch rate plateaued, leaving many organizations vulnerable. Given that attackers are now exploiting these vulnerabilities sooner, organizations need to react and act quickly."