Microsoft Corp. has determined that a China-linked hacking group is targeting deployments of Atlassian Corp. Plc’s Confluence collaboration software.

Microsoft detailed the hacking campaign in a late Tuesday post on X, the social network previously known as Twitter. Atlassian confirmed the findings in a security advisory on its website. The hacking campaign is exploiting a zero-day vulnerability that was discovered in Confluence earlier this month. 

Confluence is a popular collaboration platform that enables teams to create a shared repository of internal files. The software can store feature development roadmaps, advertising plans and other business documents. Confluence also lends itself to sharing other types of files such as diagrams.

The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises. 

Confluence Cloud, the software-as-a-service edition of the application, is not affected.

In a security advisory, Atlassian stated that it has received reports from a “handful of customers” about hacking attempts targeting their Confluence deployments. The company didn’t specify how many deployments are affected. It said in a statement that “our priority is the security of our customers’ instances during this critical vulnerability, and we are collaborating with industry-leading threat intelligence partners, such as Microsoft, to obtain additional information that may assist customers with responding to the vulnerability.”

The vulnerability in question was first disclosed on Oct 4. Microsoft says that the hackers have been targeting affected Confluence instances since at least Sept. 14.

The vulnerability, for which a patch is available, is tracked as CVE-2023-22515. It has received the maximum severity score that can be issued in the CVE vulnerability ranking system. The vulnerability allows hackers to bypass an affected Confluence instance’s login page, create administrator accounts and use those accounts to access data or change settings.

CVE-2023-22515 first emerged in Confluence 8.0, a version of the platform that Atlassian released last November. More recent editions are affected as well. Atlassian is advising customers to patch their deployments or, if patching is not possible, block external network access.

Organizations unable to do either can apply a temporary mitigation until their deployments are fixed. According to Atlassian, the mitigation consists of a few lines of code that need to be added to Confluence’s configuration files. The code disables certain vulnerable Confluence features used for software configuration tasks.

Image: Atlassian