Carding 4 Carders
Professional
- Messages
- 2,730
- Reaction score
- 1,517
- Points
- 113
Three weeks of unpunished access: what were the group's goals?
Microsoft said that a Chinese hacker group known as "Storm-0062" (aka DarkShadow, Oro0lxy) exploited a critical vulnerability in the Atlassian Confluence Data Center and Server starting on September 14, 2023.
Atlassian has notified its customers about the active use status of the CVE vulnerability-2023-22515 4 It did not disclose specific details about the groups exploiting this vulnerability.
Cybersecurity experts from Microsoft today shared more information about Storm-0062's actions and published four IP addresses associated with the attacks.
Given that the Atlassian security update was released in early October, Storm-0062 most likely exploited this zero-day vulnerability for almost three weeks, creating arbitrary administrator accounts on open endpoints.
According to Microsoft experts, Storm-0062 is a state-owned hacker group associated with the Ministry of State Security of China. It is known for its attacks on software, engineering, medical research, and government, defense, and technology firms in the United States, the United Kingdom, Australia, and Europe. The purpose of such attacks is usually intelligence gathering.
According to data compiled by cybersecurity firm Greynoise , the use of CVE-2023-22515 appears to be very limited. However, the PoC exploit and full technical information about the vulnerability, published recently by Rapid7 researchers, can dramatically change the situation with exploitation.
Experts showed how attackers can bypass existing product security checks and what cURL command can be used to send a processed HTTP request to vulnerable endpoints.
This request creates new admin users with a password that is known to the attacker. And thanks to an additional parameter, also considered by Rapid7, other users will not receive notifications when the installation is completed, which makes the compromise invisible.
It's been a week since Atlassian released security updates for the affected products, so users have had plenty of time to update their installations. However, if you are an Atlassian Confluence user and have not yet updated, you should immediately install one of the following software versions:
It is worth noting that the vulnerability CVE-2023-22515 does not affect versions of Atlassian Confluence Data Center and Server prior to 8.0.0, so users of older versions do not need to take any action. The same applies to instances hosted on Atlassian cloud domains.
For more information about compromise indicators, upgrade instructions, and a complete list of affected product versions, see the Atlassian Security Bulletin.
Microsoft said that a Chinese hacker group known as "Storm-0062" (aka DarkShadow, Oro0lxy) exploited a critical vulnerability in the Atlassian Confluence Data Center and Server starting on September 14, 2023.
Atlassian has notified its customers about the active use status of the CVE vulnerability-2023-22515 4 It did not disclose specific details about the groups exploiting this vulnerability.
Cybersecurity experts from Microsoft today shared more information about Storm-0062's actions and published four IP addresses associated with the attacks.
Given that the Atlassian security update was released in early October, Storm-0062 most likely exploited this zero-day vulnerability for almost three weeks, creating arbitrary administrator accounts on open endpoints.
According to Microsoft experts, Storm-0062 is a state-owned hacker group associated with the Ministry of State Security of China. It is known for its attacks on software, engineering, medical research, and government, defense, and technology firms in the United States, the United Kingdom, Australia, and Europe. The purpose of such attacks is usually intelligence gathering.
According to data compiled by cybersecurity firm Greynoise , the use of CVE-2023-22515 appears to be very limited. However, the PoC exploit and full technical information about the vulnerability, published recently by Rapid7 researchers, can dramatically change the situation with exploitation.
Experts showed how attackers can bypass existing product security checks and what cURL command can be used to send a processed HTTP request to vulnerable endpoints.
This request creates new admin users with a password that is known to the attacker. And thanks to an additional parameter, also considered by Rapid7, other users will not receive notifications when the installation is completed, which makes the compromise invisible.
It's been a week since Atlassian released security updates for the affected products, so users have had plenty of time to update their installations. However, if you are an Atlassian Confluence user and have not yet updated, you should immediately install one of the following software versions:
- 8.3.3 or later;
- 8.4.3 or later;
- version 8.5.2 (for long-term support) or later.
It is worth noting that the vulnerability CVE-2023-22515 does not affect versions of Atlassian Confluence Data Center and Server prior to 8.0.0, so users of older versions do not need to take any action. The same applies to instances hosted on Atlassian cloud domains.
For more information about compromise indicators, upgrade instructions, and a complete list of affected product versions, see the Atlassian Security Bulletin.
