New research from Sophos Labs details how a new threat actor group called Atom Silo was found to have attacked Atlassian Confluence team workspace servers through a recently disclosed vulnerability. The ransomware was identical to LockFile, but the key points made in the Sophos report were that the group was attacking a publicly disclosed vulnerability that had a patch issued and that when they got access, they used “several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software.” Excerpt:
- While the ransomware itself is virtually identical to LockFile, the intrusion that made the ransomware attack possible, made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software.
- The incident offers evidence of how dangerous publicly disclosed security vulnerabilities in Internet-facing software packages can be when left unpatched even for a relatively short period. Concurrent with the ransomware attack, Sophos responders found that the Confluence vulnerability had also been exploited by a crypto miner.
<p>This breach demonstrates just how easy it is to spin up a damaging attack using established malware and publicly available vulnerability information. Atom Silo simply picked up the ball from LockBit and tweaked the LockFile attack relying on slow patch behavior and sideloading. The battle between assault and protection relies on the ability of the security team to anticipate and neutralize these kinds of malicious evolution of attacks. Publicizing attacks and patches obviously benefits all, friend and foe alike.</p>
<p>When this info is in the public domain the race is on to defend opportunistic attacks. No matter what the latest attack is, investing in a security team is the best defense possible. We have the tools to find them. We need to make sure we\’re developing a strong pipeline of talent and ensure we get them into the fight against Atom Silo and the next generation of attackers to arrive on the scene.</p>
<p>What are your systems telling to the Internet? Are they broadcasting the OS and apps you’re using? How about announcements for new hires with specific skills (“Confluence server specialist” in this case)? Adversaries know there is a limited window to hit organizations that patch disclosed vulnerabilities quickly, so you can bet they are doing their homework up front to gain whatever advantage they can in whatever time they have. “Self-reconnaissance” and risk assessments can help find these exploitable gaps and close them.</p>
<p>If you think you are safe once a vulnerability has been publicly reported, think again. Even if there is a patch available, many enterprises seem to take their time in both applying the patches and testing them in their computing environments. Organizations need to apply critical security patches immediately and move them into production right after testing.</p>
<p>The announcement of the Atom Silo ransomware, which exploits a vulnerability in Confluence, is a case in point. While Confluence isn’t necessarily mission-critical in many enterprises, they may be willing to pay well to have their data unencrypted. This speaks to how organizations aren’t moving fast enough on application and network vulnerabilities, and how it can cost them.</p>
<p>The key point in this attack is that there is no novelty in the actions of the attacker once the site has been compromised. Attackers have a set pattern of activities once a zero day or known vulnerability is discovered. They want to lateral move across the enterprise to discover value data and resources and they want to escalate their privileges inside the enterprise to enable a greater surface coverage of the compromised site. Identities must be reviewed to minimize the exposure from these attacks and watched to insure that any escalation of privileges are approved and legitimate.</p>