[BreachExchange] New Atom Silo Ransomware Group Targets Confluence Servers

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Oct 5 08:45:43 EDT 2021


https://www.darkreading.com/threat-intelligence/new-atom-silo-ransomware-group-targets-confluence-servers

Security researchers are tracking a new ransomware group called Atom Silo,
which uses a newly disclosed vulnerability in Atlassian's Confluence
collaboration software (CVE-2021-26084) as well as new tactics that make it
tough to investigate.

Sophos' MTR Rapid Response team recently investigated an Atom Silo attack
and today shared its findings to reveal more about the group's tools and
techniques. The intrusion it investigated began Sept. 13, 2021, 11 days
before the ransomware attack. Attackers — either the Atom Silo group
itself, an affiliate, or initial access broker — breached a Confluence
server using an Object-Graph Navigation Language injection attack.

This attack on the server gave the attackers a backdoor they were then able
to use to drop and execute files for another, stealthy backdoor,
researchers write in a blog post. The payload for the second backdoor
contained three files, one of which was a legitimate signed executable from
a third-party software provider that was vulnerable to an unsigned DLL
sideload attack.

"The malicious DLL spoofs a library required by the executable and is
placed in the same folder on the targeted server as the vulnerable .exe.
This attack technique, known as DLL search order hijacking (ATT&CK
T1574.001), is a well-worn technique recently observed in LockFile
ransomware attacks leveraging the ProxyShell vulnerability," researchers
explain in their post.

They note that while the ransomware itself is "virtually identical to
LockFile," the intrusion that made this attack possible employed many new
techniques that made it harder to investigate, such as sideloading of
malicious dynamic link libraries made to disrupt endpoint security tools.

This attack shows how dangerous publicly disclosed security flaws in
Internet-facing software can be when left unpatched. Along with this
ransomware attack, the Sophos team found the Confluence flaw had also been
exploited by a cryptominer, through from another attacker.

Read more details about the group and their attack here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211005/2fe1391f/attachment.html>


More information about the BreachExchange mailing list