Atlassian Confluence is a highly popular web-based team workspace meant to help employees collaborate.
CVE-2021-26084 that was being exploited in the wild.
If this vulnerability is successfully exploited, any unauthenticated attacker can remotely execute instructions on unpatched systems.
Atom Silo Is Targeting Confluence Servers
SophosLabs researchers made the discovery while analyzing a recent event. They also discovered that the ransomware employed by this new organization is nearly comparable to LockFile, which is extremely similar to the LockBit malware.
Operators of the Atom Silo, on the other hand, employ “a number of innovative tactics that make it exceedingly difficult to examine, including the side-loading of malicious dynamic-link libraries designed to disrupt endpoint security software.”
Following the compromise of Confluence servers and the installation of a backdoor, the threat actors use DLL side-loading to deploy a second-stage stealthier backdoor on the compromised machine.
The ransomware payloads sent by Atom Silo also include a malicious kernel driver that is meant to escape detection and destroy endpoint security solutions.
The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was