October 11, 2023

Microsoft has identified the China-backed advanced persistent threat (APT) known as Storm-0062 as the entity responsible for actively exploiting the recently revealed critical vulnerability in Atlassian Confluence Server and Confluence Data Center. Alarmingly, proof-of-concept exploits for this vulnerability are now in circulation, suggesting a potential for widespread exploitation.

A China-sponsored advanced persistent threat (APT) tracked as Storm-0062 is responsible for the in-the-wild exploitation of the recently disclosed critical bug in Atlassian Confluence Server and Confluence Data Center, Microsoft has announced. And it turns out that proof-of-concept exploits are now available for it, portending mass exploitation.

The flaw (CVE-2023-22515) was disclosed last week, with Atlassian acknowledging that it had been exploited as a zero-day in the wild prior to that. The vulnerability was at first labeled a privilege escalation problem, but it’s remotely exploitable without authentication and should be seen as more akin to a code-execution tool, according to researchers — an assessment borne out by its 10 out of 10 ranking on the CVSS vulnerability -severity scale.

Accordingly, Atlassian subsequently updated its advisory to label the bug a broken access control issue.

Microsoft this week delivered additional details on the zero-day campaign, which it said has been active since Sept. 14. In a series of tweets, it identified four IP addresses that were observed sending related CVE-2023-22515 exploit traffic; also, it noted that “any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application.”

In tandem with that attribution, a former computer science student and “security enthusiast” who goes by the handle s1r1us dropped a proof of concept (PoC) on GitHub; Researchers at Rapid7 published a detailed analysis of the vulnerability that could offer plenty of breadcrumbs to PoC developers.

Who Is Beijing-Sponsored Storm-0062?

The Storm-0062 APT is also known as DarkShadow or Oro0lxy, Microsoft pointed out. Both names are aliases for Chinese state hackers Li Xiaoyu and Dong Jiazhi, who were indicted by the US Department of Justice in 2020 for probing for “vulnerabilities in computer networks of companies developing COVID-19 vaccines, testing technology, and treatments.”

They remain at large, presumably in China, and have a history of state-sponsored hacking in tandem with various associates that goes back to at least 2009. Microsoft offered no details on the victimology of the latest attacks but noted in its annual Digital Defense Report issued last week that Chinese state-sponsored campaigns typically reflect the Chinese Communist Party’s (CCP) dual pursuit of global influence and intelligence collection, and thus cast a wide net.

“Cyber ​​threat groups [in China] continue to carry out sophisticated worldwide campaigns targeting US defense and critical infrastructure, nations bordering the South China Sea, and even China’s strategic partners,” according to the report. “Some Chinese cyber activity may also indicate possible avenues of response in the event of a future geopolitical crisis.”