Detecting Atom Silo Ransomware Infections

Ransomware actors attempt to stay at the forefront of the malicious trends in their strive for bigger profits. Recently, security researchers spotted a new threat actor leveraging a critical vulnerability in Atlassian Confluence (CVE-2021-26084) to proceed with ransomware infections. Dubbed Atom Silo, the gang relies on CVE-2021-26084 alongside several novel evasion techniques to fly under the radar and succeed with the extortion attacks.

Atom Silo Ransomware 

According to the in-depth inquiry by Sophos Labs, the Atom Silo has a lot in common with such prolific ransomware strains as LockFile and LockBit. Similar to LockFile that leveraged PetitPotam and ProxyShell flaws in Microsoft products earlier this year, Atom Silo relied on a critical vulnerability in Atlassian Confluence Server and Data Center (CVE-2021-26084) for infection. 

The ransomware took advantage of the CVE-2021-26084 and updated the kill chain only three weeks after the bug discovery, increasing its chances for successful intrusions. To add to the attack notoriety, Atom Silo maintainers also adopted several innovative techniques to evade detection. 

Upon the initial intrusion, ransomware actors leveraged the Confluence Server bug (CVE-2021-26084) to create a backdoor. This initial backdoor was further used to drop and initiate a second-stage stealthier backdoor via DLL side-loading. The second backdoor helped hackers to perform remote execution of Windows shell commands through the Windows Management Interface (WMI) and move laterally across the infected network. 

Described above is not the only trick applied by the Atom Silo group in their attempt to evade detection. The hacker collective also equipped the ransomware payload with a malicious kernel driver able to disrupt the endpoint protections.

Confluence Vulnerability (CVE-2021-26084) Under Attack

On August 25, 2021, Atlassian pushed an urgent security advisory to fix a critical remote code execution (RCE) vulnerability affecting its Confluence Server and Data Center. Being an OGNL injection issue, the flaw allows authenticated actors (and in some cases unauthenticated) to execute arbitrary code on exposed instances.

A week after the advisory was issued, security researchers published a PHP proof-of-concept (PoC) exploit for this bug accompanied by a detailed technical analysis. The PoC triggered an avalanche of scans for the exposed Confluence Servers and Data Center instances, with multiple adversaries using CVE-2021-26084 to install crypto miners. Also, several weeks after the bug discovery, Atom Silo gangs weaponized the vulnerability to attack its victims.

U.S. Cyber Command (USCYBERCOM) urgently issued an alert to prompt U.S. companies to address the critical Atlassian Confluence vulnerability under massive exploitation. CISA also stressed the importance to patch the exposed instances ASAP.

Atom Silo Detection

To detect Atom Silo infections relying on the Atlassian Confluence RCE bug, you can download a set of free Sigma rules released by our keen Threat Bounty developer Sittikorn Sangrattanapitak. Additionally, you can check our industry guidelines to learn more about the best practices to defend against the ransomware strain.

Atom Silo Ransomware Uses Confluence OGNL Vulnerability CVE-2021-26084 (via proxy)

The rule has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix.

The rule is mapped to MITRE ATT&CK methodology addressing the Impact, Persistence, Privilege Escalation, and Defense Evasion tactics. Particularly, the detection addresses the Data Encrypted for Impact (t1486) and Exploit Public-Facing Application (t1190) techniques as well as the DLL Side-Loading sub-technique (T1574.002) of the Hijack Execution Flow (t1574) technique.

Atom Silo Ransomware Uses Confluence RCE and DLL Side-Loading (via file_event)

The rule has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, SentinelOne, Qualis.

The rule is mapped to MITRE ATT&CK methodology addressing the Impact, Persistence, Privilege Escalation, and Defense Evasion tactics. Particularly, the detection addresses the Data Encrypted for Impact (t1486) technique as well as the DLL Side-Loading sub-technique (T1574.002) of the Hijack Execution Flow (t1574) technique.

To detect and mitigate the malicious activity associated with CVE-2021-26084 vulnerability in the Atlassian Confluence Server and Data Center, check the list of detections already available in the SOC Prime platform.

Register to the SOC Prime platform to make threat detection easier, faster, and simpler. Instantly hunt for the latest threats within 20+ supported SIEM & XDR technologies, automate threat investigation, and get feedback and vetting by 20,000+ community of security professionals to boost your security operations. Eager to craft your own detection content? Join our Threat Bounty program, share your Sigma and Yara rules in the Threat Detection Marketplace repository, and get recurrent rewards for your individual contribution!

Go to Platform Join Threat Bounty