New Atom Silo Ransomware Group Targets Confluence Servers

An attack that took place over two days used a recently disclosed vulnerability in Atlassians Confluence collaboration software.

Security researchers are tracking a new ransomware group called Atom Silo, which uses a newly disclosed vulnerability in Atlassians Confluence collaboration software (
CVE-2021-26084
) as well as new tactics that make it tough to investigate.
Sophos MTR Rapid Response team recently investigated an Atom Silo attack and today shared its findings to reveal more about the groups tools and techniques. The intrusion it investigated began Sept. 13, 2021, 11 days before the ransomware attack. Attackers — either the Atom Silo group itself, an affiliate, or initial access broker — breached a Confluence server using an Object-Graph Navigation Language injection attack.
This attack on the server gave the attackers a backdoor they were then able to use to drop and execute files for another, stealthy backdoor, researchers write in a blog post. The payload for the second backdoor contained three files, one of which was a legitimate signed executable from a third-party software provider that was vulnerable to an unsigned DLL sideload attack.
The malicious DLL spoofs a library required by the executable and is placed in the same folder on the targeted server as the vulnerable .exe. This attack technique, known as DLL search order hijacking (
ATT&CK T1574.001
), is a well-worn technique recently observed in LockFile ransomware attacks leveraging the ProxyShell vulnerability, researchers explain in their post.
They note that while the ransomware itself is virtually identical to LockFile, the intrusion that made this attack possible employed many new techniques that made it harder to investigate, such as sideloading of malicious dynamic link libraries made to disrupt endpoint security tools.
This attack shows how dangerous publicly disclosed security flaws in Internet-facing software can be when left unpatched. Along with this ransomware attack, the Sophos team found the Confluence flaw had also been exploited by a cryptominer, through from another attacker.
Read more details about the group and their attack
here
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Atom Silo Ransomware Group Targets Confluence Servers