Threat Research

Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks | CISA

Securonix

The advisory describes active exploitation of CVE-2023-22515 in Atlassian Confluence Data Center and Server, enabling threat actors to create unauthorized Confluence administrator accounts and gain initial access. It also covers post-exploitation data exfiltration using curl and Rclone to cloud storage, and urges immediate patching and detection efforts. #CVE-2023-22515 #Confluence #Atlassian #CISA #FBI #MS-ISAC #Rclone #cURL

Keypoints

  • The vulnerability CVE-2023-22515 is a critical Broken Access Control flaw affecting Atlassian Confluence Data Center and Server (Cloud variants are not affected).
  • Unauthenticated remote threat actors can exploit the vulnerability to create unauthorized Confluence administrator accounts via the /setup/setupadministrator.action endpoint, triggered by /server-info.action.
  • Atlassian released a patch on October 4, 2023; CISA/FBI/MS-ISAC added the vulnerability to the Known Exploited Vulnerabilities Catalog on October 5, 2023, signaling widespread risk for unpatched systems.
  • Post-exploitation data exfiltration observed using curl to transfer data and using Rclone to upload data or credentials to cloud storage (e.g., AWS S3, UCloud).
  • Observed request headers include User-Agent strings such as Python-requests/2.27.1 and curl/7.88.1, indicating automated tooling in use.
  • IOCs include specific IP addresses associated with exfiltration activity and notes that some addresses relate to the rclone.org domain; Microsoft shared additional related IPs.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Unauthenticated attackers exploit this vulnerability to gain initial access by creating unauthorized Confluence administrator accounts. Quote: ‘Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts.’
  • [T1136] Create Account – Attackers create a new administrator user. Quote: ‘to create a new administrator user.’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration using curl to transfer data to or from a server. Quote: ‘predominant method observed involves the use of cURL—a command line tool used to transfer data to or from a server.’
  • [T1567.002] Exfiltration to Cloud Storage – Exfiltration via Rclone uploading a configuration file or credentials to cloud storage. Quote: ‘use of Rclone to either upload a configuration file to victim infrastructure or enter cloud storage credentials via the command line.’

Indicators of Compromise

  • [IP Address] Data exfiltration-related IPs – 170.106.106.16, 43.130.1.222, and 3 more IPs (152.32.207.23, 199.19.110.14, 95.217.6.16; note: 95.217.6.16 is the rclone.org site)
  • [User-Agent] Web request clients observed – Python-requests/2.27.1, curl/7.88.1

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a