New Ransomware Dubbed Atom Silo Targets Confluence Servers
The New Ransomware Group Is Targeting a Recently Patched and Actively Exploited Confluence Server.
Atlassian Confluence is a highly popular web-based team workspace meant to help employees collaborate.
Back in August, Atlassian issued security updates meant to patch a Confluence remote code execution (RCE) vulnerability tracked as CVE-2021-26084 that was being exploited in the wild.
If this vulnerability is successfully exploited, any unauthenticated attacker can remotely execute instructions on unpatched systems.
Atom Silo Is Targeting Confluence Servers
SophosLabs researchers made the discovery while analyzing a recent event. They also discovered that the ransomware employed by this new organization is nearly comparable to LockFile, which is extremely similar to the LockBit malware.
Operators of the Atom Silo, on the other hand, employ “a number of innovative tactics that make it exceedingly difficult to examine, including the side-loading of malicious dynamic-link libraries designed to disrupt endpoint security software.”
Following the compromise of Confluence servers and the installation of a backdoor, the threat actors use DLL side-loading to deploy a second-stage stealthier backdoor on the compromised machine.
The ransomware payloads sent by Atom Silo also include a malicious kernel driver that is meant to escape detection and destroy endpoint security solutions.
The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown until a few weeks ago.
While similar to another recently discovered ransomware group, LockFile, Atom Silo has emerged with its own bag of novel and sophisticated tactics, techniques and procedures that were full of twists and turns and challenging to spot – probably intentionally so.
In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware.
Multiple threat actors began scanning for and exploiting the recently published CVE-2021-26084 Confluence RCE vulnerability to install crypto miners six days after Atlassian’s fixes were announced, as BleepingComputer reported at the beginning of September.
The attackers were installing crypto miners (e.g., XMRig Monero cryptocurrency miners) on Windows and Linux Confluence servers, according to BleepingComputer.
In early September, the United States Cyber Command (USCYBERCOM) issued a rare notice urging US businesses to promptly fix the serious Atlassian Confluence vulnerability, which had already been widely exploited.
“Please patch immediately if you haven’t already— this cannot wait until after the weekend,” the USCYBERCOM unit said, emphasizing the necessity of updating all vulnerable Confluence servers as soon as possible.
CISA also advised administrators to deploy the Atlassian Confluence security patches as soon as possible.
This incident is also a good reminder how dangerous publicly disclosed security vulnerabilities in internet-facing software are when left unpatched, even for a relatively short time.
In this case, the vulnerability opened the door to two simultaneous, but unrelated attacks from ransomware and a crypto-miner.