Security researchers are tracking a new ransomware group called Atom Silo, which uses a newly disclosed vulnerability in Atlassian’s Confluence collaboration software (CVE-2021-26084) as well as new tactics that make it tough to investigate.
Sophos’ MTR Rapid Response team recently investigated an Atom Silo attack and today shared its findings to reveal more about the group’s tools and techniques. The intrusion it investigated began Sept. 13, 2021, 11 days before the ransomware attack. Attackers — either the Atom Silo group itself, an affiliate, or initial access broker — breached a Confluence server using an Object-Graph Navigation Language injection attack.
This attack on the server gave the attackers a backdoor they were then able to use to drop and execute files for another, stealthy backdoor, researchers write in a blog post. The payload for the second backdoor contained three files, one of which was a legitimate signed executable from a third-party software provider that was vulnerable to an unsigned DLL sideload attack.
“The malicious DLL spoofs a library required by the executable and is placed in the same folder on the targeted server as the vulnerable .exe. This attack technique, known as DLL search order hijacking (ATT&CK T1574.001), is a well-worn technique recently observed in LockFile ransomware attacks leveraging the ProxyShell vulnerability,” researchers explain in their post.
They note that while the ransomware itself is “virtually identical to LockFile,” the intrusion that made this attack possible employed many new techniques that made it harder to investigate, such as sideloading of malicious dynamic link libraries made to disrupt endpoint security tools.
This attack shows how dangerous publicly disclosed security flaws in Internet-facing software can be when left unpatched. Along with this ransomware attack, the Sophos team found the Confluence flaw had also been exploited by a cryptominer, through from another attacker.
Read more details about the group and their attack here.