Threat Watch

Ransomware Group “Atom Silo” Targeting Recently Patched Atlassian Confluence Server Vulnerability

On August 25th, Atlassian released security updates to patch a Confluence remote code execution vulnerability which allows attackers to execute commands on unpatched servers remotely and is currently being exploited in the wild. Atlassian Confluence is a web-based corporate team workspace that allows employees to collaborate on projects.

SophosLabs researchers discovered a new ransomware group while investigating a recent incident. The ransomware is almost identical to LockFile, which is similar to the one used by the LockBit ransomware group. The new group, Atom Silo, compromises Confluence servers and installs a backdoor, then drops a second-stage stealthier backdoor using DLL side-loading to launch it on the breached system. SophosLabs researchers say that Atom Silo made significant efforts to evade detection prior to launching the ransomware, and the attackers only used native Windows tools to move within the network before deploying the ransomware.

ANALYST NOTES

U.S. Cyber Command issued a rare alert to urge U.S. organizations to patch the vulnerability immediately. They stressed the importance of this by noting “this cannot wait until after the weekend.” While previous attackers using this vulnerability were only deploying cryptocurrency miners, the serious repercussions of not patching this vulnerability are now even more obvious than before.

https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/

https://www.bleepingcomputer.com/news/security/new-atom-silo-ransomware-targets-vulnerable-confluence-servers/