New Atom Silo Ransomware Group Targets Confluence Servers

  /     /     /  
Publicated : 23/11/2024   Category : security


New Atom Silo Ransomware Group Targets Confluence Servers


An attack that took place over two days used a recently disclosed vulnerability in Atlassians Confluence collaboration software.



Security researchers are tracking a new ransomware group called Atom Silo, which uses a newly disclosed vulnerability in Atlassians Confluence collaboration software (
CVE-2021-26084
) as well as new tactics that make it tough to investigate.
Sophos MTR Rapid Response team recently investigated an Atom Silo attack and today shared its findings to reveal more about the groups tools and techniques. The intrusion it investigated began Sept. 13, 2021, 11 days before the ransomware attack. Attackers — either the Atom Silo group itself, an affiliate, or initial access broker — breached a Confluence server using an Object-Graph Navigation Language injection attack.
This attack on the server gave the attackers a backdoor they were then able to use to drop and execute files for another, stealthy backdoor, researchers write in a blog post. The payload for the second backdoor contained three files, one of which was a legitimate signed executable from a third-party software provider that was vulnerable to an unsigned DLL sideload attack.
The malicious DLL spoofs a library required by the executable and is placed in the same folder on the targeted server as the vulnerable .exe. This attack technique, known as DLL search order hijacking (
ATT&CK T1574.001
), is a well-worn technique recently observed in LockFile ransomware attacks leveraging the ProxyShell vulnerability, researchers explain in their post.
They note that while the ransomware itself is virtually identical to LockFile, the intrusion that made this attack possible employed many new techniques that made it harder to investigate, such as sideloading of malicious dynamic link libraries made to disrupt endpoint security tools.
This attack shows how dangerous publicly disclosed security flaws in Internet-facing software can be when left unpatched. Along with this ransomware attack, the Sophos team found the Confluence flaw had also been exploited by a cryptominer, through from another attacker.
Read more details about the group and their attack
here
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Atom Silo Ransomware Group Targets Confluence Servers