China’s Ministry of State Security has been implicated in a sophisticated software supply chain campaign, according to Microsoft. The campaign, executed by a threat actor known as Storm-0062, involves the exploitation of a broken access control vulnerability, known as CVE-2023-22515, in Atlassian’s Confluence Data Center and Server products. Microsoft claims that Storm-0062 has been conducting cyberespionage on behalf of the Ministry of State Security (MSS) since September 14th.
Microsoft’s warning comes after Atlassian revealed and addressed the flaw on October 4th. The vulnerability allows any device with a network connection to a vulnerable application to create a Confluence administrator account, granting unauthorized access to sensitive information. To mitigate the risk posed by this vulnerability, organizations are advised to upgrade their Confluence applications to fixed versions 8.3.3, 8.4.3, or 8.5.2, or newer. Additionally, these organizations should isolate their vulnerable Confluence applications from the public internet until they complete the necessary upgrades.
Atlassian has expressed its commitment to prioritizing the security of its customers’ instances during this critical vulnerability. The company is collaborating with industry-leading threat intelligence partners, including Microsoft, to gather additional information that may assist customers in responding to the vulnerability. Atlassian encourages customers to share evidence of compromise to support these efforts.
The exploitation of CVE-2023-22515 is part of a broader software supply chain attack, according to Tom Kellermann, the Senior Vice President of Cyber Strategy at Contrast Security. Kellermann describes the attack as systemic, emphasizing the vast cyberspy network of the People’s Liberation Army (PLA) and its focus on acquiring zero-day vulnerabilities. He argues that the Achilles heel of network security lies in the exploitation of applications through software supply chain attacks. Kellermann posits that the traditional application security paradigm is ineffective in the face of such attacks and emphasizes the importance of runtime security to mitigate future exploitation or zero-day threats.
It is worth noting that software supply chain attacks have gained attention in recent years due to their potential to compromise multiple organizations by attacking a common software provider. By infiltrating the supply chain, threat actors can insert malicious code or exploit vulnerabilities, thereby bypassing individual organizational security measures. The SolarWinds supply chain attack of 2020 serves as a prominent example of the significant impact these attacks can have.
The involvement of China’s Ministry of State Security in this software supply chain campaign raises concerns about the country’s cyberespionage capabilities and motivations. China has long been accused of state-sponsored cyberattacks, targeting intellectual property, political adversaries, and critical infrastructure. These allegations have strained international relations and sparked debates over the appropriate response to such activities.
As the investigation into the Storm-0062 campaign continues, it is crucial for organizations to remain vigilant and take the necessary measures to protect their networks and systems. Upgrading vulnerable applications, isolating them from the public internet, and implementing robust runtime security measures can help mitigate the risk of exploitation. Additionally, collaboration between technology companies, intelligence agencies, and other stakeholders remains essential to detecting and responding to these security threats effectively. As the cyber threat landscape continues to evolve, it is crucial to remain proactive and adaptive in defending against sophisticated and persistent adversaries.