On August 25th, Atlassian released security updates to patch a Confluence remote code execution vulnerability which allows attackers to execute commands on unpatched servers remotely and is currently being exploited in the wild. Atlassian Confluence is a web-based corporate team workspace that allows employees to collaborate on projects.
SophosLabs researchers discovered a new ransomware group while investigating a recent incident. The ransomware is almost identical to LockFile, which is similar to the one used by the LockBit ransomware group. The new group, Atom Silo, compromises Confluence servers and installs a backdoor, then drops a second-stage stealthier backdoor using DLL side-loading to launch it on the breached system. SophosLabs researchers say that Atom Silo made significant efforts to evade detection prior to launching the ransomware, and the attackers only used native Windows tools to move within the network before deploying the ransomware.