Ransomware gangs have taken their attacks to a dangerous new level in recent months -- targeting vulnerabilities in ubiquitous software used by business, government agencies and critical infrastructure.
- The SolarWinds attack, discovered at the end of 2020.
- A ransomware attack that crippled the Colonial Pipeline for nearly a week, sending millions along the U.S. East Coast scrambling for gas.
- The attack against JBS -- a meat-packing company that supplies more than one-fifth of all beef in the United States. The company was forced to halt operations after its plants were pushed offline.
- A July attack against the networks of at least 200 U.S. companies paralyzed when the REvil ransomware syndicate attacked software supplier Kaseya.
The lesson throughout: One piece of software can bring down your business — even if it wasn’t the direct target.
Enter Atom Silo
The latest example of ransomware targeting vulnerabilities in ubiquitous software can be found in attacks launched by a group called Atom Silo. Sophos’ MTR Rapid Response team recently investigated these attacks and found that the group uses some of the same tactics as those in the incidents described above.
The sophisticated attack, which took place over two days, was enabled by an earlier initial access leveraging a recently revealed vulnerability in Atlassian’s Confluence collaboration software. The initial point of compromise: a vulnerability that was only public for about three weeks at the time.
Sophos says ransomware operators and other malware developers are becoming increasingly adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly for profit—as demonstrated by the evidence of two separate threat actors finding and exploiting the vulnerable Confluence server involved in this latest incident.
To reduce the threat, Sophos recommends that organizations:
- Ensure they have robust ransomware and malware protection in place
- Remain vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks.
- Shift some products to vendor-hosted software-as-a-service, which can mitigate some of these risks, as vendors typically patch vulnerabilities in their own deployments of software faster than they can be deployed by on-premises customers.
- Fully deploy malware protection on servers and endpoint devices
- Monitor products to catch attacks that trigger detections or alerts before an attacker with administrative access can defeat protections.
- Have effective data backup practices and business continuity plans, regardless of their size, to ensure that they can survive attacks.