Researchers at global security firm Sophos detailed how a relatively new Windows ransomware group called Atom Silo carried out a two-day attack, initially using a flaw in Atlassian’s collaboration software Confluence.
Senior threat researcher Sean Gallagher and his colleague Vikas Singh said a second backdoor was used in the attack, although they did not specify which software was the entry point, saying only that three files had been used, one being “a legitimate, signed executable from a third-party software vendor which is vulnerable to an unsigned DLL sideloading attack”.
The DLL spoofed a library needed by the application executable and was placed in the same folder on the targeted server as the vulnerable executable.
“This attack technique, known as DLL lookup order hijacking (ATT & CK T1574.001), is a well-used technique recently observed in LockFile ransomware attacks exploiting the ProxyShell vulnerability,” Gallagher and Singh wrote. in their detailed blog post.
The DLL was used to decrypt and load the second backdoor from the third file, mfc.ini, which then connected to one of the many hard-coded hostnames.
After this load, Windows shell commands can be executed remotely through the Windows management interface.
Lateral movement was then undertaken by the intruders and a number of additional servers were compromised within five hours. The information was gathered from the logs of the compromised servers: user IDs, locked accounts and local network characteristics.
While this was in progress, another independent intruder used the Confluence vulnerability to install cryptominer malware.
The discovery and exfiltration of important data was then undertaken. An executable was dropped on the domain controller, with two variations used. These contained the following files:
- autoupdate.exe (ransomware, detected as Troj / Ransom-GKL);
- autologin.exe, a Kernel Driver Utility hacktool;
- autologin.sys, a driver targeting Sophos services, including the File Scan Service; and
- drv64.dll, a database hacktool Kernel Driver Utility, previously reported as part of a LockFile ransomware attack using the PetitPotam exploit.
The autologin.exe file was used to map the autologin.sys driver to the kernel, and when loaded the protections against stopping endpoint services could be bypassed.
The ransomware itself was then launched, and when detected by Intercept X’s CryptoGuard, the second attack executable was used to disable all protection.
Gallagher and Singh said that although the initial vulnerability that allowed attackers access was only public for three weeks, the patch was still a race for companies and at that time it was even more difficult due to effects of the COVID lockdown.
“Ransomware operators and other malware developers are becoming very adept at taking advantage of these loopholes, jumping on published proof of concept exploits for newly revealed vulnerabilities and quickly arming them to take advantage of them – like the demonstrates evidence of two separate threat actors finding and exploiting the vulnerable Confluence server involved in this incident, ”they said.
“If the ransomware attack had not been discovered, the cryptocurrency miner on the server might not have been discovered.”
Bill Kearny, Kajal Katiyar, Chaitanya Ghorpade, and Rahil Shah also played roles in the research.
Screenshots: Courtesy of Sophos
BIG OPENING OF THE ITWIRE BOUTIQUE
The highly anticipated iTWire Shop is now open to our readers.
Visit the iTWire Store, a premier destination for stylish accessories, gear and gadgets, lifestyle products and everyday portable office essentials, drones, smartphone zooms, software and training in line.
PLUS major brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.
Products available for all countries.
We hope you enjoy and find value in the highly anticipated iTWire store.
ENTER THE STORE NOW!
INTRODUCING ITWIRE TV
iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.
We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.
Additionally, your maintenance post message can be displayed in up to 7 different post views on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.
We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.
Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.