Picture: Silvan Arnet
Atom Silo, a newly noticed ransomware group, is concentrating on a lately patched and actively exploited Confluence Server and Knowledge Middle vulnerability to deploy their ransomware payloads.
Atlassian Confluence is a extremely common web-based company crew workspace that helps staff collaborate on numerous initiatives.
On August 25, Atlassian issued security updates to patch a Confluence distant code execution (RCE) vulnerability tracked as CVE-2021-26084 and exploited within the wild.
Profitable exploitation permits unauthenticated attackers to execute instructions on unpatched servers remotely.
Ransomware gangs begin concentrating on Confluence servers
The invention was made by SophosLabs researchers whereas investigating a current incident. Additionally they discovered that the ransomware utilized by this new group is sort of equivalent to LockFile, which is itself very similar to the one utilized by the LockBit ransomware group.
Nevertheless, Atom Silo operators use “a number of novel strategies that made it extraordinarily tough to analyze, together with the side-loading of malicious dynamic-link libraries tailor-made to disrupt endpoint safety software program.”
After compromising Confluence servers and putting in a backdoor, the menace actors drop a second-stage stealthier backdoor utilizing DLL side-loading to launch it on the breached system.
Ransomware payloads deployed by Atom Silo additionally include a malicious kernel driver used to disrupt endpoint safety options and evade detection.
“The incident investigated by Sophos exhibits how rapidly the ransomware panorama can evolve. This ultra-stealthy adversary was unknown till a couple of weeks in the past,” said Sean Gallagher, a senior menace researcher at Sophos.
“Whereas much like one other lately found ransomware group, LockFile, Atom Silo has emerged with its personal bag of novel and complicated techniques, strategies and procedures that have been stuffed with twists and turns and difficult to identify – in all probability deliberately so.
“As well as, Atom Silo made important efforts to evade detection previous to launching the ransomware, which included well-worn strategies utilized in new methods. Aside from the backdoors themselves, the attackers used solely native Home windows instruments and assets to maneuver inside the community till they deployed the ransomware.”
Additional technical particulars on Atom Silo’s compromise and lateral motion techniques could be present in SophosLabs’ report.
Closely exploited Confluence vulnerability
As BleepingComputer reported at the start of September, a number of menace actors started scanning for and exploiting the lately disclosed CVE-2021-26084 Confluence RCE vulnerability to put in crypto miners as soon as a PoC exploit was launched six days after Atlassian’s patches have been issued.
BleepingComputer confirmed that the attackers were installing crypto miners (e.g., XMRig Monero cryptocurrency miners) on Home windows and Linux Confluence servers.
U.S. Cyber Command (USCYBERCOM) issued a uncommon alert in early September to induce U.S. organizations to patch the important Atlassian Confluence vulnerability instantly because it was already below large exploitation.
The USCYBERCOM unit additionally confused the significance of patching all weak Confluence servers as quickly as doable: “Please patch instantly if you have not already— this can not wait till after the weekend.”
— U.S. Cyber Command (@US_CYBERCOM) September 3, 2021
CISA additionally warned admins to use the Confluence security updates lately issued by Atlassian instantly.
As BleepingComputer cautioned on the time, though these attackers have been solely deploying cryptocurrency miners, they might rapidly escalate to ransomware payloads and information exfiltration as soon as the menace actors began transferring laterally by company networks from hacked on-prem Confluence servers.
“This incident can be an excellent reminder how harmful publicly disclosed safety vulnerabilities in internet-facing software program are when left unpatched, even for a comparatively quick time,” Gallagher added.
“On this case, the vulnerability opened the door to 2 simultaneous, however unrelated assaults from ransomware and a crypto-miner.”