virus logo Threat Signal Report

Atom Silo ransomware actor leverages Confluence vulnerability

FortiGuard Labs is aware of a report that the ransomware threat actor Atom Silo targeted vulnerable Confluence servers to deliver its ransomware. The vulnerability exploited by the Atom Silo group is the Confluence Server Webwork OGNL injection vulnerability (CVE-2021-26084) that Atlassian issued a patch for on August 25th, 2021. Since Confluence is a popular web-based corporate team workspace and the security hole was exploited in the wild, CISA and U.S. Cyber Command (USCYBERCOM) released an alert on September 3rd and September 4th, 2021 respectively urging users and admins to apply the patch as soon as possible.


Why is this Significant?

This is significant as a critical and recently patched Confluence vulnerability was leveraged by a ransomware group. The vulnerability was previously reported to have been exploited to deliver crypto miners.


What is Atom Silo Ransomware?

Atom Silo is a new ransomware that was discovered in September 2021. The files it encrypts will typically have an .atomsilo file extension. According to Sophos, Atom Silo ransomware itself does not steal files as part of a double extortion tactic. However, data exfiltration did happen by the attacker using the RClone utility prior to the ransomware deployment. The ransomware instructs the victim to contact the attacker via email or an .onion web site and demands ransom fee be paid in Bitcoin. The Atom Silo gang has typically applied a 50% discount to the ransom fee if the victim paid within 48 hours.


What is the Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084)?

The vulnerability affects the Confluence Server and Confluence Data Center products and allows an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance.


FortiGuard Labs released Threat Signal on the vulnerability. See the Appendix for a link to "Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084)".


Has the Vendor Released a Patch for CVE-2021-26084?

Yes, Atlassian released a patch on August 25th, 2021.


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against the attack:


W64/Agent.AUP!tr

Riskware/KernelDrUtil

Riskware/Application

W32/Filecoder_LockFile.LIM!tr.ransom

Riskware/UtilityRCloneMitigation


FortiGuard Labs provide the following IPS coverage for CVE-2021-26084:

Atlassian.Confluence.CVE-2021-26084.Remote.Code.Execution


All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.


Other Mitigation for CVE-2021-26084?

Atlassian has provided a couple of mitigation methods in their advisory. See the Appendix for a link to "Confluence Security Advisory - 2021-08--25".

Additional Resources

Atom Silo ransomware actors use Confluence exploit, DLL side-load for stealthy attack (Sophos)

Confluence Security Advisory - 2021-08-25 (Atlassian)

Confluence Server Webwork OGNL Injection Vulnerability (CVE-2021-26084) (Fortinet)

CVE-2021-26084 (MITRE)

Atlassian Releases Security Updates for Confluence Server and Data Center (CISA)

Tweet by U.S. Cyber Command


Released Date Oct 05, 2021
Tags Threat Signal Ransomware
FortiGate Device Triggered N/A
Threat Actor Type Ransomware

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
About FortiGuard Threat Signal

Learn More »