Sophos has published new research, “Atom Silo Ransomware Actors Use Confluence Exploit, DLL Side-Load for Stealthy Attack,” describing novel techniques and tools used by Atom Silo, a newly emerged ransomware group. The report recaps a sophisticated attack that took place over two days and leveraged a recently revealed vulnerability in Atlassian’s Confluence collaboration software.
(Sophos researchers also found that, concurrently with the ransomware attack, the Confluence vulnerability was exploited by a crypto-miner.)
The ransomware that the Atom Silo group used is virtually identical to LockFile, but their intrusion stage involved several novel techniques and complex manoeuvres to evade detection and complete the attack.
- For instance, once they had gained initial access via a backdoor into the Confluence server, the attackers were able to drop and install a second, stealthy backdoor. This backdoor used an executable from a legitimate third party software product that was vulnerable to DLL “side-load” attacks, to execute the backdoor code
- The ransomware payload included a malicious kernel driver designed to disrupt endpoint protection software
- The backdoor connected to a remote command-and-control server over TCP/IP port 80 and allowed for remote execution of Windows shell commands through the Windows Management Interface (WMI)
The attackers then moved laterally through the network and compromised additional servers, installing additional backdoors through the WMI interface, using a compromised administrative account. For the most part, the attackers avoided installing these backdoors as services. Sophos researchers believe the attackers did this to avoid detection by security controls.
The attackers also used remote desktop services (RDP) to find, copy (using RClone) and exfiltrate data to Dropbox. The ransomware executable was released after exfiltration, at the same time as the release of another file designed to disrupt endpoint protection
Sean Gallagher, senior threat researcher at Sophos, said:
“The incident investigated by Sophos shows how quickly the ransomware landscape can evolve. This ultra-stealthy adversary was unknown a few weeks ago. While similar to another recently discovered ransomware group, LockFile, Atom Silo has emerged with its own bag of novel and sophisticated tactics, techniques and procedures that were full of twists and turns and challenging to spot – probably intentionally so.
“In addition, Atom Silo made significant efforts to evade detection prior to launching the ransomware, which included well-worn techniques used in new ways. Other than the backdoors themselves, the attackers used only native Windows tools and resources to move within the network until they deployed the ransomware.
“This incident is also a good reminder how dangerous publicly disclosed security vulnerabilities in internet-facing software are when left unpatched, even for a relatively short time. In this case, the vulnerability opened the door to two simultaneous, but unrelated attacks from ransomware and a crypto-miner.”