[MART] - Daily Diary #361 - Atomsilo Ransomware Attacking Atlassian's Confluence Servers

Mon Oct 4 23:07:34 UTC 2021

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/04/2021 - Diary entry #361:

Discovered in the last few months, Atomsilo is a ransomware that operates using the double-extortion model, stealing data rather than just encrypting it and threatening to publish if the ransom is not paid. This ransomware was found targeting a recent vulnerability in Atlassian's Confluence, CVE-2021-26084. This vulnerability affects several versions of confluence, up to 7.12.5. A successful exploitation through sending a crafted request allows an attacker to execute arbitrary code. Atomsilo uses that to deploy a backdoor, which is used to deploy the next stage payload.

Atomsilo's code is very similar to LockFile ransomware, covered in our Daily Diaries #338 and #331, but the execution of the malware itself is more sophisticated, using DLL side-loading and other techniques to remain stealthier during the attack.

Our team got access to Atomsilo wall-of-shame, where it publishes data stolen from targets that refuse to pay the ransom. So far only one target was published, and their blog's latest post is from September 18th, showing how recent this threat is. The blog also contains a small rules list, saying that they do not attack Hospitals, Critical Infrastructure Facilities, Oil and Gas Industries, Educational units and non-profit companies, saying that if the targeted company is in one of those categories, they will provide the decryptor for free.

It's not the first time we cover a malware attacking unpatched Confluence Servers. In our Daily Diary #79 we covered MATA Malware Framework, from Lazarus group, that contained scripts to exploit CVE-2019-3396, a vulnerability in Confluence's Widget Connector. This incident is yet another example of how companies must secure their internal applications. Confluence is a very popular tool, and therefore an exploit for it is precious to cybercrime. This kind of application must be always up-to-date, and isolated from other systems in the internal network.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211004/5683a495/attachment.htm>