A well-prepared software supply chain campaign by China's Ministry of State Security.
Storm0062 exploits Atlassian 0-day.
Microsoft warns that the nation-state threat actor Storm-0062 has been exploiting CVE-2023-22515, a broken access control vulnerability affecting Atlassian’s Confluence Data Center and Server products, since September 14th. SecurityWeek reports that the threat actor is conducting cyberespionage for China’s Ministry of State Security (MSS).
Atlassian disclosed and patched the flaw.
Atlassian disclosed the flaw on October 4th. Microsoft states, “Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application. Organizations with vulnerable Confluence applications should upgrade as soon as possible to a fixed version: 8.3.3, 8.4.3, or 8.5.2 or later. Organizations should isolate vulnerable Confluence applications from the public internet until they are able to upgrade them.”
An Atlassian spokesperson told TechCrunch, “Our priority is the security of our customers’ instances during this critical vulnerability, and we are collaborating with industry-leading threat intelligence partners, such as Microsoft, to obtain additional information that may assist customers with responding to the vulnerability. This is an ongoing investigation, and we encourage customers to share evidence of compromise to support these efforts.”
A deliberately prepared software supply chain attack.
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, set the exploitation in the context of an ongoing, well-prepared software supply chain attack. “This represents a systemic supply chain attack. The PLA has a vast cyberspy network many of which focus on arming her with zero-days,” he wrote. “Network security has an Achilles heel and that lies in the exploitation of applications via software supply chain attacks. The application security paradigm is defunct. Runtime security is imperative to mitigate exploitation or zero-days.”