Researchers from global security firm Sophos have detailed how a relatively new Windows ransomware group known as Atom Silo carried out an attack over two days, initially using a flaw in Atlassian’s Confluence collaboration software.
Senior threat researcher Sean Gallagher and his colleague Vikas Singh said a second backdoor was used in the attack, though they did not specify which software was the entry point, only saying three files were used, one being “a legitimate, signed executable from a third-party software provider that is vulnerable to an unsigned DLL sideload attack”.
The DLL spoofed a library needed by the application’s executable and was placed in the same folder on the targeted server as the vulnerable executable.
“This attack technique, known as DLL search order hijacking (ATT&CK T1574.001), is a well-worn technique recently observed in LockFile ransomware attacks leveraging the ProxyShell vulnerability,” Gallagher and Singh wrote in their detailed blog post.
The DLL was used to decrypt and load the second backdoor from the third file, mfc.ini, which then connected to one of a number of hardcoded hostnames.
After this loaded, Windows shell commands could be executed remotely through the Windows Management Interface.
Lateral movement was then undertaken by the intruders and a number of additional servers were compromised in the next five hours. Information was gathered from the logs of the compromised servers: user credentials, accounts that were locked out and characteristics of the local network.
While this was in progress, another unrelated intruder used the Confluence vulnerability to install cryptominer malware.
Discovery and exfiltration of important data was then undertaken. An executable was dropped on the domain controller, with two variants used. These contained the following files:
- autoupdate.exe (the ransomware, detected as Troj/Ransom-GKL);
- autologin.exe, a Kernel Driver Utility hacktool;
- autologin.sys, a driver targeting Sophos services, including the file scanning service; and
- drv64.dll, a Kernel Driver Utility hacktool database, previously reported as part of a LockFile ransomware attack using the PetitPotam exploit.
The autologin.exe was used to map the autologin.sys driver to the kernel and, once loaded, protections against shutting down endpoint services could be bypassed.
The ransomware itself was then launched, and when it was detected by Intercept X’s CryptoGuard, the second attack executable was used to disable any protection.
Gallagher and Singh said though the initial vulnerability that allowed access to the attackers was only public for three weeks, patching was always a race for companies and at this time it was even more difficult due to the effects of the COVID lockdown.
“Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponising them rapidly to profit off them — as demonstrated by the evidence of two separate threat actors finding and exploiting the vulnerable Confluence server involved in this incident,” they said.
“If the ransomware attack had not been discovered, the cryptocurrency miner on the server may have gone undiscovered.”
Bill Kearny, Kajal Katiyar, Chaitanya Ghorpade and Rahil Shah were also credited with having played a role in the research.
Screenshots: courtesy Sophos
GRAND OPENING OF THE ITWIRE SHOP
The much awaited iTWire Shop is now open to our readers.
Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.
PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.
Products available for any country.
We hope you enjoy and find value in the much anticipated iTWire Shop.
ENTER THE SHOP NOW!
INTRODUCING ITWIRE TV
iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.
We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.
In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.
We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.
See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.
SEE WHAT’S ON ITWIRE TV NOW!