Threat Signal Report

Atom Silo ransomware actor leverages Confluence vulnerability

Description

FortiGuard Labs is aware of a report that the ransomware threat actor Atom Silo targeted vulnerable Confluence servers to deliver its ransomware. The vulnerability exploited by the Atom Silo group is the Confluence Server Webwork OGNL injection vulnerability (CVE-2021-26084) that Atlassian issued a patch for on August 25th, 2021. Since Confluence is a popular web-based corporate team workspace and the security hole was exploited in the wild, CISA and U.S. Cyber Command (USCYBERCOM) released an alert on September 3rd and September 4th, 2021 respectively urging users and admins to apply the patch as soon as possible.


Why is this Significant?

This is significant as a critical and recently patched Confluence vulnerability was leveraged by a ransomware group. The vulnerability was previously reported to have been exploited to deliver crypto miners.


What is Atom Silo Ransomware?

Atom Silo is a new ransomware that was discovered in September 2021. The files it encrypts will typically have an .atomsilo file extension. According to Sophos, Atom Silo ransomware itself does not steal files as part of a double extortion tactic. However, data exfiltration did happen by the attacker using the RClone utility prior to the ransomware deployment. The ransomware instructs the victim to contact the attacker via email or an .onion web site and demands ransom fee be paid in Bitcoin. The Atom Silo gang has typically applied a 50% discount to the ransom fee if the victim paid within 48 hours.


What is the Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084)?

The vulnerability affects the Confluence Server and Confluence Data Center products and allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.


FortiGuard Labs released Threat Signal on the vulnerability. See the Appendix for a link to "Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084)".


Has the Vendor Released a Patch for CVE-2021-26084?

Yes, Atlassian released a patch on August 25th, 2021.


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against the attack:


W64/Agent.AUP!tr

Riskware/KernelDrUtil

Riskware/Application

W32/Filecoder_LockFile.LIM!tr.ransom

Riskware/UtilityRCloneMitigation


FortiGuard Labs provide the following IPS coverage for CVE-2021-26084:

Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution


All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.


Other Mitigation for CVE-2021-26084?

Atlassian has provided a couple of mitigation methods in their advisory. See the Appendix for a link to "Confluence Security Advisory - 2021-08--25".


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.