A new ransomware actor, dubbed as Atom Silo, is targeting users of Confluence servers by accessing the vulnerable systems using a recently-disclosed vulnerability.
Security researchers have identified a flaw in the Confluence server that allows attackers to perform an OGNL injection attack and arbitrary code execution. The issue was discovered by Sean Gallagher and Vikas Singh of Sophos.
The vulnerability in Confluence Server and Confluence Data Center has been actively exploited in the wild, and the affected products must be patched immediately. Meanwhile, US Cybercom said that attacks were ongoing and expected to accelerate.
According to Sophos, a couple of days ago, Atom Silo launched an attack against users of a company. The exploit used in the attack, tracked as CVE-2021-09-25, allowed the attackers to gain unauthorized access to the victim’s environment.
Atom Silo exploited the vulnerability to install a stealthy backdoor. This payload tried to stay undetected by installing a legitimate software vulnerable to an unsigned DLL sideload attack. It then loaded a rogue .DLL that contained code similar to the Cobalt Strike beacon.
“The intrusion that made the ransomware attack possible made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software,” the researchers say.
Eleven days after its initial intrusion, hackers managed to deploy ransomware and a malicious driver utility that was designed to disrupt endpoint protection.
The researchers note that the ransomware is identical to LockFile except it uses a different encryption extension on files (.ATOMSILO).
The gang’s ransomware note demanded $200,000.
“Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof of concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them,” Sophos says. “To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks.”