BACKGROUND:
New research from Sophos Labs details how a new threat actor group called Atom Silo was found to have attacked Atlassian Confluence team workspace servers through a recently disclosed vulnerability. The ransomware was identical to LockFile, but the key points made in the Sophos report were that the group was attacking a publicly disclosed vulnerability that had a patch issued and that when they got access, they used “several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software.” Excerpt:
- While the ransomware itself is virtually identical to LockFile, the intrusion that made the ransomware attack possible, made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software.
- The incident offers evidence of how dangerous publicly disclosed security vulnerabilities in Internet-facing software packages can be when left unpatched even for a relatively short period. Concurrent with the ransomware attack, Sophos responders found that the Confluence vulnerability had also been exploited by a crypto miner.
